Welcome to Pete Brown's 10rem.net

First time here? If you are a developer or are interested in Microsoft tools and technology, please consider subscribing to the latest posts.

You may also be interested in my blog archives, the articles section, or some of my lab projects such as the C64 emulator written in Silverlight.

(hide this)

Saved by Windows 7 UAC and Microsoft Security Essentials

Pete Brown - 29 April 2010

Today, I visited one of those ad-laden but otherwise legitimate sites with lots of top 10 lists. In this case, it was a list of photos which looked too cool to be real. I got there from a link chain starting at a Lego article on Epic Win which had a link to the original photo which then had a link to similar stuff etc. It was a long chain of sites I normally wouldn't visit, but which were legit and interesting, if not ad-laden. No, no porn :)

Anyway, as I clicked on a link for another story, bam! Security essentials popped up in the corner and at the same time, I got 5 UAC "do you want to allow this program to make changes to your computer" warning dialogs (one after the other). I answered "no" to all of them, of course.

I haven't had a computer virus or trojan on my own machines since around 1992 at work when I got a DOS boot sector virus off a 5 1/4 floppy that was stored in a decade-old Compaq (or Kaypro?) luggable we pulled out of storage to allow another data entry person to do some work. Yeah, that was a pretty vintage virus, even then.

To repeat: I have not had a virus or trojan on any of my PCs at home or work since 1992, and I've never had a virus or trojan on a machine personally owned by me. Ever.

Here's the info from Microsoft Security Essentials.

image

I run as an admin on my Windows 7 machine, so UAC was definitely a saving feature. As I understand it, that first trojan went and downloaded all the other downloaders, and then attempted (but failed due to UAC) to modify DNS on my machine. The trojan itself was downloaded to:

C:\Users\Peter.Brown\AppData\Local\Temp\acesrnomwx.exe

After the trojan and the downloaders were removed, I had to do an ipconfig/renew to get DNS back. I think Security Essentials did some stuff to DNS just in case.

Moral of the Story

Risky sites (like porn sites and whatnot) are still one of the largest vectors of viruses (besides links in email and facebook), so you do well to avoid them. However, even seemingly legit sites can have trojans on them. Safe surfing is not enough to protect you from drive-bys on sites with either infected ads or hijacked pages.

Leave UAC on in Windows 7. It's pretty transparent, and a better implementation than we had in Vista. Then make sure you have anti-virus software running. With free products like Security Essentials, there's no excuse.

     
posted by Pete Brown on Thursday, April 29, 2010
filed under:      

14 comments for “Saved by Windows 7 UAC and Microsoft Security Essentials”

  1. Gravatar of riixReply
    riixsays:
    Thursday, April 29, 2010 at 1:09:30 PM
    what I can't get my head around is: how is it that ANY website can silently download a ".exe" file in the first place? Is UAC then just a bandaid fix for browser design stupidity? .. and which browser by the way?
  2. Gravatar of PeteReply
    Petesays:
    Thursday, April 29, 2010 at 1:40:00 PM
    I agree.

    I've used every version of IE, many of Firefox and chrome and never had a drive-by. My wife has had two upstairs on her laptop.

    This time it was IE8 on Windows 7.

    Here's the definition, but it doesn't explain how it works
    http://en.wikipedia.org/wiki/Drive-by_download

    Here's some more info
    http://blogs.zdnet.com/security/?p=6128&tag=wrapper;col1

    From research, looks like IE, Firefox and other browsers all have bugs that folks tak advantage of to create these drive-by downloads.
    http://blogs.zdnet.com/security/?p=4758

    They get patched, but it's a race, and there's always a gap between detection and cure.

    Pete
  3. Gravatar of JohnReply
    Johnsays:
    Thursday, April 29, 2010 at 5:38:39 PM
    As I understand it they don't per say download an EXE file. The do a buffer overrun then have the code in the buffer overrun execute. This code then creates the EXE file on disk and attempt to run it. After the buffer overrun is running it can do pretty much anything depending on the secuirty level and or course the UAC detection.
  4. Gravatar of allen sanbornReply
    allen sanbornsays:
    Thursday, April 29, 2010 at 11:26:39 PM
    You really should stop running as admin. UAC has flaws. Anti-Virus has flaws. Operating Systems have flaws. Software (looking at you Adobe) has flaws.

    The easiest way to negate most flaws is to just not be an admin. Then you can be more safe when you look at your "LEGO" sites.

    http://blogs.zdnet.com/security/?p=5964

    Key summary points on the percentage of flaws mitigated by running as a standard user:
    90% of Critical Windows 7 operating system vulnerabilities are mitigated by having users log in as standard users
    100% of Microsoft Office vulnerabilities reported in 2009
    94% of Internet Explorer and 100% of IE 8 vulnerabilities reported in 2009
    64% of all Microsoft vulnerabilities reported in 2009
    87% of vulnerabilities categorized as Remote Code Execution vulnerabilities are mitigated by removing administrator rights



  5. Gravatar of PeteReply
    Petesays:
    Thursday, April 29, 2010 at 11:41:53 PM
    @Allen

    Sure, I do get all that, but I prefer to run as admin. Given that this is the first time I've ever been hit, I'd say that's a decent track record.

    I do get the pros/cons however, and agree that it's good advice that one ignores at their own peril.

    Scare quotes aside, this really was a very run-of-the-mill site. It had images that looked photoshopped, but were real (guy walking on water, two people hanging from a rope line, etc.)

    Pete
  6. Gravatar of AnonReply
    Anonsays:
    Monday, May 3, 2010 at 4:59:27 PM
    Pete:

    Even Microsoft is trying to get people to not run as Admin for their regular work when using Vista/Win7. It's almost like running as root on Unix machines. There's a few things to keep in mind as far as UAC and other security things (IE, how Program Files is protected, Registry stuff, etc.), but the problem is that 'drive-by' downloading can happen on ANY site, directly or indirectly (IE, the site was directly compromised or intentionally malicious, or is hosting ads from an advertiser that is similarly compromised/malicious).

    Today, the era of .EXE viruses are almost over. It still happens, but it generally requires both an untrained user and an active motion (downloading and executing). Instead, the 'buffer overflow' issue and related problems are being used to bypass the whole issue of the user. Using malicious scripts & other content, they try to find any little hole in your system, then burrow in. Adobe's been really bad in this regard with both PDFs and Flash vulnerabilities, but it's a general issue for current & future software. And all of this is automated; you don't realize something is happening until the virus scanner raises a warning. And by then, it's already gotten in, and may have spread.

    One thing I've done is gone through and try to disable possible 'issues'. I've disabled javascript in PDFs. I've disabled the PDF activeX plugin for IE. I've even gone and remove the whitelist "*" site for several add-ins. In today's day and age, the Internet is no longer safe. Too many evil people are taking advantage and abusing it with virii & trojans, such as the many 'botnets' you hear about. And while I personally would approve of inflicting real-life variations of the digital monsters they've created back on them, it's not going to happen any time soon. So folks need to secure themselves as best as possible.
  10. Gravatar of alexReply
    alexsays:
    Monday, February 23, 2015 at 2:13:39 PM
    hi bro thaks, for share ur article...i get it helpfull

    got there from a link chain starting at a Lego article on Epic Win which had a link to the original photo which then had a link to similar stuff etc. It was a long chain of sites I normally wouldn't visit, but which were legit and interesting, if not ad-laden.

Comment on this Post

Remember me