Wednesday, May 21, 2008

Malware do not need admin rights??

Many Security forums, advisories and even security products claim that by restricting privilege access rights, it will stop all malware from infecting the systems.

But nowadays, it is found that many malware can still create problems without ever the need to have admin or root access. These malware doesn't need to modify your system files to your system messed up.

Normally malware are designed (like any other applications) to expect the user to be running with privileged access. For windows malware, they like to modify the OS or write itself into System32 folder. Commonly, they will also try to modify the registry such as Run or RunOnce in "Hkey_Local_Machine\software\Microsoft\Windows\CurrentVersion". As for Unix-based malware, they will be modifying or creating files in default system path such as /etc/bin or startup scripts in rc folder.

But malware these days don't really need to locate System32 folder or path that require root access. Tested on several malwares that runs on Windows or Linux, it was found that many of the files created and modifed does not require admin or root access. Some Windows malware just modify the user's own registry profile key to launch during startup as users always have Full Control to their own profile's auto-run registry keys. There are also malware that do not require to even modify a single file, it just runs on the memory and able to steal sensitive infomation or intercept your identify.

Even though having less privilege cannot stop malware from "infecting" your system, but it definately limits the possibilities for new malware creation. In Windows Vista, Microsoft introduce UAC (User Account Control) to encourage users to adopt the least privilege concept. Unix-based systems, adopt the concept long ago using SU (Switch User) function. It is still a security best practise and recommendation of adopting the least privilege concept.

Related Links:
- User Account Control Overview (Microsoft Technet)

- Linux Wiki > SU (LinuxQuestions.org)

No comments: