Trojan horses could bypass Vista's UAC

— 10:18 AM on May 17, 2007

A web application developer named Robert Paveza has found a rather interesting and potentially worrying "two-step process" that could allow malware to bypass Windows Vista's User Account Control, as eWeek reports. The process is explained in detail in this PDF white paper, and it works as follows:

This vulnerability uses a two-step attack vector against a default installation of Windows Vista. Initially, a malicious software program can be downloaded and run without elevation, and this downloaded software program, called the proxy infection tool, can behave as expected while it sets up the secondlevel malicious payload. For instance, if users believe they are downloading a “Pac-Man” clone, such a game could be run while the malicious software did its work in the background).
Once the seemingly harmless software is up and running, it duplicates and replaces shortcuts to unsigned programs in the user's personal Start menu folder (as opposed to the universal Start menu folder, which cannot be modified without UAC elevation.) Then, the next time the user attempts to run a program whose shortcut has been modified, he is confronted with a seemingly normal UAC elevation window, and the duplicated shortcut runs both the intended program and a piece of malware of the virus writer's choice.

eWeek asked Microsoft for a response, and the company didn't seem too worried, pointing out that the aforementioned exploit does require a user to download a malicious executable in order to be infected with the initial Trojan horse—either through social engineering or some other means.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.