14 DAY TRIAL // Microsoft Security Essentials, the Redmond company’s free security solution for Windows 7, Windows Vista and Windows XP, has evolved with behavior monitoring capabilities designed to let it identify malicious code that attempts to switch off User Account Control. And this is the case not only for Microsoft Security Essentials 2.1 (MSE 2.1) but also for additional AV offerings from the software giant, including Windows Intune and Forefront Endpoint Protection.
The evolution of Microsoft’ security solutions comes as a natural response to malware advances, especially around malicious code disabling UAC.
“The Microsoft Malware Protection Center has found more and more malware opening a new front and turning UAC off itself,” revealed Microsoft’s Joe Faulhaber.
“Malware does this to prevent users from seeing UAC prompts on every reboot for their payloads. The Sality virus family, Alureon rootkits, Rogue antivirus like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants turning UAC off.”
User Account Control was initially introduced with Windows Vista and it only moved to the next level in Windows 7.
While not an impassible security barrier, UAC does provide an extra layer of defense against malicious code, and more importantly it forces both users (including administrators) and software to run with reduced privileges.
Standard user privileges, as opposed to full admin rights, makes copies of Vista and Windows 7 less prone to malware infections.
Faulhaber notes that malware authors really hate UAC, and while some Windows users have also failed to take the security mitigation to heart, his advice is to not turn the feature off, under any circumstances. Doing so would just make the life of malware authors that much easier.
Initially, new malicious code adapted to Vista and Windows 7 used a tactic dubbed UAC avoidance. Just as legitimate software vendors, malware authors tailored their code to run under UAC with limited privileges. But it appears that more and more, they’re opting to kill off the feature altogether, since it’s hard for their malware to gain elevated privileges.
“The key factor here is that for malware to successfully turn UAC off, the malware must itself be elevated to run as administrator. This elevation either requires an exploit in a service with administrator access, UAC to already be turned off, or a user clicking "OK" on a UAC prompt to allow the malware to elevate,” Faulhaber explained.
“Unfortunately, many Windows users have disabled UAC. While malware was mostly avoiding UAC altogether, legitimate software was also being rewritten to not require elevation prompts, so there are fewer UAC prompts than ever to wrangle, which should make it easier to spot any suspicious activity.”
According to Faulhaber, approximately 23% of malware detections per day are associated with scenarios in which UAC was also disabled, either by the malicious code which needs to exploit a vulnerability to gain admin privileges, or by the users themselves, tricked through social engineering techniques.
Microsoft Security Essentials (MSE) 2.1.1116.0 is available for download here.