Security issue with malware on Vista bypasses UAC and sends out SPAM

[Grant - CNW]

I came across this problem in early May 2007... and never found anyone else
on Microsoft's support/KB site or the Internet... perhaps someone here has
seen this problem.

I installed a new PC with Windows Vista Ultimate in May... downloaded all
the security updates, etc..
I also had a new Windows SBS 2003 R2 server server, also with the latest
OS/security updates.
I created file shares for the USERS and had some that were protected (READ
and PRIVATE) in addition to READ/WRITE. The permissions worked for the
other Windows XP clients on the network, however Vista client would receive
a PERMISSION DENIED pop-up when accessing a folder on the server which they
could not browse nor write a file into... but then the write operation
(folder or file) completed! TO MY SURPRISE! Anyone seen this issue? I
did find some Vista-specific suggested updates for the SBS 2003 R2 server to
support Vista clients... and this resolved the problem! Yikes! These
should have been MANDATORY REQUIRED updates... as I fear some SBS servers
out there may have been compromised by new Vista clients on their network.

Anyhow... I digress. A few weeks later in May, the user received an email
that they should not have opened... and the anti-virus software detected it
and quarantined the virus. All seemed okay... except after a few days the
Internet connection was saturated... even when no one was using the
computers in the office. Further investigation of the firewall (Cisco 871W
router) showed a lot of traffic coming from the Vista client computer. I
looked at the PC and the network status icon showed no status/traffic. So
I disabled the network interface. The outbound SPAM being sent stopped
going through the firewall... and then again 5 minutes later... started
again. Looking at the Vista client again... the network connection was
DISABLED... but sending out traffic! UAC was enabled... how could the
system enable the network connection and send out SPAM? I tested this and
ensured no other devices were on the network. I soon discovered that the
SBS server was doing the same thing! I ran different vendor's anti-virus
tools and scans... nothing was discovered. I found that I physically had
to disconnect the cabling to prevent the SPAM from going out... disabling
the network interface was not enough. I was curious why the Cisco router
was being hammered so much... and then turned off SPI (stateful packet
inspection)... this seemed to keep the Internet connection stable. What
I didn't tell you was that is ISP turned off the Internet connection due to
the SPAMing from our network... and wouldn't re-enable until the problem was
resolved.

I ended up formatting and re-installing both systems as they were relatively
new installs and I wanted a clean installation. To date I have not seen
this problem again.

Any ideas as to what might have caused this behaviour?

I see there are ways to disable UAC from window menus and command line (see
MSCONFIG tool!)... but they normally require a system re-boot. In this
case, it was turned off and on at will... and appeared normal if the user
used the computer. But behind the scenes, controlled the NIC on the Vista
PC.

Has anyone seen this? Is it a known problem? Has it been resolved?

 

[mikeyhsd]

malware/virus/trojans can do weird things.
sound like you need better virus protection.



(e-mail address removed)



I came across this problem in early May 2007... and never found anyone else
on Microsoft's support/KB site or the Internet... perhaps someone here has
seen this problem.

I installed a new PC with Windows Vista Ultimate in May... downloaded all
the security updates, etc..
I also had a new Windows SBS 2003 R2 server server, also with the latest
OS/security updates.
I created file shares for the USERS and had some that were protected (READ
and PRIVATE) in addition to READ/WRITE. The permissions worked for the
other Windows XP clients on the network, however Vista client would receive
a PERMISSION DENIED pop-up when accessing a folder on the server which they
could not browse nor write a file into... but then the write operation
(folder or file) completed! TO MY SURPRISE! Anyone seen this issue? I
did find some Vista-specific suggested updates for the SBS 2003 R2 server to
support Vista clients... and this resolved the problem! Yikes! These
should have been MANDATORY REQUIRED updates... as I fear some SBS servers
out there may have been compromised by new Vista clients on their network.

Anyhow... I digress. A few weeks later in May, the user received an email
that they should not have opened... and the anti-virus software detected it
and quarantined the virus. All seemed okay... except after a few days the
Internet connection was saturated... even when no one was using the
computers in the office. Further investigation of the firewall (Cisco 871W
router) showed a lot of traffic coming from the Vista client computer. I
looked at the PC and the network status icon showed no status/traffic. So
I disabled the network interface. The outbound SPAM being sent stopped
going through the firewall... and then again 5 minutes later... started
again. Looking at the Vista client again... the network connection was
DISABLED... but sending out traffic! UAC was enabled... how could the
system enable the network connection and send out SPAM? I tested this and
ensured no other devices were on the network. I soon discovered that the
SBS server was doing the same thing! I ran different vendor's anti-virus
tools and scans... nothing was discovered. I found that I physically had
to disconnect the cabling to prevent the SPAM from going out... disabling
the network interface was not enough. I was curious why the Cisco router
was being hammered so much... and then turned off SPI (stateful packet
inspection)... this seemed to keep the Internet connection stable. What
I didn't tell you was that is ISP turned off the Internet connection due to
the SPAMing from our network... and wouldn't re-enable until the problem was
resolved.

I ended up formatting and re-installing both systems as they were relatively
new installs and I wanted a clean installation. To date I have not seen
this problem again.

Any ideas as to what might have caused this behaviour?

I see there are ways to disable UAC from window menus and command line (see
MSCONFIG tool!)... but they normally require a system re-boot. In this
case, it was turned off and on at will... and appeared normal if the user
used the computer. But behind the scenes, controlled the NIC on the Vista
PC.

Has anyone seen this? Is it a known problem? Has it been resolved?

 

[Kerry Brown]

I came across this problem in early May 2007... and never found anyone else
on Microsoft's support/KB site or the Internet... perhaps someone here has
seen this problem.

I installed a new PC with Windows Vista Ultimate in May... downloaded all
the security updates, etc..
I also had a new Windows SBS 2003 R2 server server, also with the latest
OS/security updates.
I created file shares for the USERS and had some that were protected (READ
and PRIVATE) in addition to READ/WRITE. The permissions worked for the
other Windows XP clients on the network, however Vista client would
receive a PERMISSION DENIED pop-up when accessing a folder on the server
which they could not browse nor write a file into... but then the write
operation (folder or file) completed! TO MY SURPRISE! Anyone seen this
issue? I did find some Vista-specific suggested updates for the SBS 2003
R2 server to support Vista clients... and this resolved the problem!
Yikes! These should have been MANDATORY REQUIRED updates... as I fear
some SBS servers out there may have been compromised by new Vista clients
on their network.

Anyhow... I digress. A few weeks later in May, the user received an
email that they should not have opened... and the anti-virus software
detected it and quarantined the virus. All seemed okay... except after a
few days the Internet connection was saturated... even when no one was
using the computers in the office. Further investigation of the firewall
(Cisco 871W router) showed a lot of traffic coming from the Vista client
computer. I looked at the PC and the network status icon showed no
status/traffic. So I disabled the network interface. The outbound SPAM
being sent stopped going through the firewall... and then again 5 minutes
later... started again. Looking at the Vista client again... the network
connection was DISABLED... but sending out traffic! UAC was enabled...
how could the system enable the network connection and send out SPAM? I
tested this and ensured no other devices were on the network. I soon
discovered that the SBS server was doing the same thing! I ran different
vendor's anti-virus tools and scans... nothing was discovered. I found
that I physically had to disconnect the cabling to prevent the SPAM from
going out... disabling the network interface was not enough. I was
curious why the Cisco router was being hammered so much... and then turned
off SPI (stateful packet inspection)... this seemed to keep the Internet
connection stable. What I didn't tell you was that is ISP turned off
the Internet connection due to the SPAMing from our network... and
wouldn't re-enable until the problem was resolved.

I ended up formatting and re-installing both systems as they were
relatively new installs and I wanted a clean installation. To date I
have not seen this problem again.

Any ideas as to what might have caused this behaviour?

I see there are ways to disable UAC from window menus and command line
(see MSCONFIG tool!)... but they normally require a system re-boot. In
this case, it was turned off and on at will... and appeared normal if the
user used the computer. But behind the scenes, controlled the NIC on the
Vista PC.

Has anyone seen this? Is it a known problem? Has it been resolved?

Once malware is on your system it can do whatever it wants. Even on Vista if
a user can be tricked into responding to a UAC prompt the malware would have
free reign. Malware can easily bypass the Windows networking stack and
access the NIC directly. For the server it could have been malware on the
server or a misconfigured Exchange server allowing relaying. If you had
malware on the server then you have to seriously look to find out how it got
there. SBS is very secure in it's default configuration. You shouldn't be
using the server for anything but administrative tasks. With SBS 99% of all
administration should be done with the wizards. SBS is a complicated setup.
Trying to administer it without the wizards will almost always leave
something misconfigured and thus vulnerable. You need better anti-malware
protection. Trend Micro CSM works very well with SBS both on the server and
the clients.

 

[Grant - CNW]

I would have thought that Vista, even if compromised, would not allow NIC
and user interface to be bypassed as it is in control of the hardware and
operating system at the low-level driver level. Sure, malware can disable
UAC but normally this requires pop-up window to confirm change with the user
as well as an OS re-start... this did not occur.

The SBS 2003 R2 server was completely setup with wizards... nothing was
circumvented, even file sharing (other than changing security permissions on
some folders). I suspect it was compromised over the network from the
infected Vista client... even though it was at the latest security updates
level.

Detection and removal of the malware was attempted with AVG, Symantec, Trend
Micro and Sophos... none of them discovered nor were able to remove the
problem... hence why I had to re-build.

Unfortunately, I did not make an image of the infected Vista configuration
in order to re-test for the malware... or perform further diagnosis.
Business requirement to get up and running again ASAP was much more
pressing.

I guess my concern is that this malware would not have been detected if I
had not been regularly checking the Internet firewalls logs... and in a
bigger network would have been more difficult to track down and isolate.
It did lead to internet connection performance issues as well as client and
server impacts.

So what is a hardened approach to protect against this in the future?
Microsoft Forefront? User training? Multiple malware products? Many
other suggestions...?

 

[Kerry Brown]

So what is a hardened approach to protect against this in the future?

Microsoft Forefront? User training? Multiple malware products? Many
other suggestions...?

User training is the best defense. Do you have WSUS installed on the SBS
server? Keeping the clients up to date is the next step in a good defense.
WSUS is a good solution for Microsoft. You also need to make sure that all
the other programs on the clients are kept up to date. There are flaws in
old versions of QuickTime, Adobe Reader, Flash, Java, and many more that
malware can exploit. If you go to some web sites you can log them trying
many different exploits for many different programs trying to install
malware. Sometimes the attacks continue for many minutes after you leave the
site.

As far as Vista stopping malware once it's past the first UAC prompt it can
pretty much do whatever it wants. It could install a root kit A root kit can
be loaded before Windows. It could easily create it's own network stack
hidden from Windows.

 

[Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]]

"A few weeks later in May, the user received an email that they should
not have opened"

Block attachments. They clicked and installed something. UAC won't
protect you from the end user that clicks and installs.

 

[Mr. Arnold]

I ended up formatting and re-installing both systems as they were
relatively new installs and I wanted a clean installation. To date I
have not seen this problem again.

Any ideas as to what might have caused this behaviour?

The machines were compromised, period, and you did the right thing.

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

 

[Hansjörg]

Hey,

if a maleware is ever executed as Admin it can simply install services (to
achive system privelege), take ownership of everything (to overrule the
trusted installer), disable services & drivers, change firewall settings,
install new drivers, kill antivirus sofware....
What's improved Vista compared to XP at all?
Now - you can not hook into the keyboard and mouse any more, hooking into
Winlogon has been disabled, sending Windows Messages between different
security context is not possible any more and much more.
Yet: as soon as you ever granted someone FULL UNLIMITED ACCESS (that is: he
is in the hart of your castle behind all of your walls of defence) the
machine is potentially not yours any more (the castle is lost).
The only thing to safely recover is
1.) Unplug the network
2.) Boot the machine with a indenpend boot CD.
3.) Wipe the file system (the save way is to lowlevel overwrite clusters)
4.) Reinstall
(=burn the castle to the ground an rebuild from scratch).

hansjörg

 

[Hansjörg]

Excatly. You can NEVER recover from a compromised machine.
You acted absolutely the right way.
Furter reading: Protect your Windows Network, Jesper M. Johansson, Steve
Riley, Addison Wesly ISBN 0-321-33643-7. Pays back every spent Cent with 1$
saved damage.

Hansjörg

 

[Grant - CNW]

Interesting. Thanks for the excellent information everyone.
I guess my concern comes from "perception" versus "reality".

Companies state that new versions of products are more secure... including
latest Vista release...
where the inconvenience of UAC interface and vague information presented are
touted as "saviours" BUT are not SIMPLE and easy to use and understand... in
fact are often confusing. To the average user it is an "obstacle" to
getting the real work done... and should be handled by the operating system.
Yet if a user makes a simple mistake by opening an malware e-mail with
PREVIEW on (the crazy default in Outlook 2007, 2003, etc. which I always
turn off for customers), they are caught with their pants down and pay the
price! One would expect Windows operating system, internally, would have
security "heuristics" which look for changes/hacks or repeated operations
which are perceived as malware attacks... for example, multiple SMTP calls,
network interface activity, etc.... and based on kept list of security
changes, disallow the Administrative right granted in error. Windows
updates and patches, in fact any system changes, should be based on
confirming identity and authentication of requester, and the core OS should
be protected... perhaps in a "burned in" firmware or memory device... or
protected memory/disk areas. Should an Administrator be able to change OS
files? I don't think so... there is a need for a "super admin" concept...
which has added security features to manage and protect the OS core.

People are told and perceive Vista, IE 7, etc are more secure... but there
will always be something... now or future.
Really, it is about mitigating risk, user education, and keeping it simple,
as well as planning for disaster recovery.
Pervasive security policies and practices.

....Grant

 

[Kerry Brown]

Interesting. Thanks for the excellent information everyone.
I guess my concern comes from "perception" versus "reality".

Companies state that new versions of products are more secure... including
latest Vista release...
where the inconvenience of UAC interface and vague information presented
are touted as "saviours" BUT are not SIMPLE and easy to use and
understand... in fact are often confusing. To the average user it is an
"obstacle" to

There are no saviors when it comes to security.

Vista is more secure than XP for many reasons including UAC, service
hardening, signed drivers in x64, protected mode IE, integrity levels of
files and applications, user mode vs. kernel mode drivers, locked down ACLs
on system files and registry keys, and more. This doesn't mean it's
invulnerable. With any OS a well planned social engineering attack will
succeed. With all OS' I've worked with a previously unknown bug could be
exploited for malicious use.

The best security has been knowledge of the risks and possible vectors of
attack. A little user training goes a long way when trying to protect a
computer against malware.

 

[Alun Jones]

Interesting. Thanks for the excellent information everyone.
I guess my concern comes from "perception" versus "reality".

Also, I think, from a desire to find someone else at fault.

Companies state that new versions of products are more secure... including
latest Vista release...

And they are - more secure than the previous versions of the software. That
doesn't mean they're perfectly secure.

where the inconvenience of UAC interface and vague information presented
are touted as "saviours" BUT are not SIMPLE and easy to use and
understand... in fact are often confusing. To the average user it is an
"obstacle" to getting the real work done... and should be handled by the
operating system.

A lock on the front door of your house is an obstacle to getting the real
work done, but if you, as the user of that lock, don't keep it locked, and
don't stop other people from following you in, there's not much the door or
lock can do.

Yet if a user makes a simple mistake by opening an malware e-mail with
PREVIEW on (the crazy default in Outlook 2007, 2003, etc. which I always
turn off for customers), they are caught with their pants down and pay the
price! One would expect Windows operating system, internally, would have
security "heuristics" which look for changes/hacks or repeated operations
which are perceived as malware attacks... for example, multiple SMTP
calls, network interface activity, etc.... and based on kept list of
security changes, disallow the Administrative right granted in error.
Windows

Why, because you got in trouble that way this time?

Microsoft already block multiple half-open connections as one attempt to
block spam bots. As a result, a spam bot is slowed significantly.

Are you really going to suggest that the system deny administrative access
to a process that the administrator has said requires administrative access,
and is allowed to have administrative access? How reliable is a computer if
it can ignore what the administrator tells it?

updates and patches, in fact any system changes, should be based on
confirming identity and authentication of requester, and the core OS
should be protected... perhaps in a "burned in" firmware or memory
device... or protected memory/disk areas. Should an Administrator be
able to change OS files? I don't think so... there is a need for a
"super admin" concept... which has added security features to manage and
protect the OS core.

Sounds like you're describing the TrustedInstaller service, which is the
only user account allowed to make changes to the OS files... of course, an
administrator, being an administrator, can override that, by resetting file
permissions.

People are told and perceive Vista, IE 7, etc are more secure... but there
will always be something... now or future.
Really, it is about mitigating risk, user education, and keeping it
simple, as well as planning for disaster recovery.
Pervasive security policies and practices.

Absolutely.

Consider the following multi-platform virus:

"Email this message to all of your friends, then open every one of your data
files, and delete or change every piece of data within. If you have
administrative access, format your hard drive."

How would a system protect automatically against someone who "makes a simple
mistake" and does what his email tells him to?

Only by completely preventing that user from doing any of his own work.

So, as you say, there will always be something.

In case you're thinking to yourself "nobody would be so dumb", I would
perhaps have agreed with you some time ago, back when I was sending out my
software to users in an encrypted zip file. After all, I thought, noone
would be so dumb as to enter a password to open a zip file they haven't
requested or aren't expecting.

I was wrong. Given sufficient incentive - whether the possibility of seeing
a naked tennis star, or enlarging a personal organ, or becoming instantly
wealthy in a lottery they never entered - users will throw caution to the
wind, and do something that if it was described dispassionately to them
would seem unbelievably stupid.

The responsibility that you have when using a computer is to pay attention
to what you are doing, and keep an eye out for danger. As a human, you are
infinitely more qualified to tell what "danger" might be than a computer is.

Alun.
~~~~

 

[Straight Talk]

Vista is more secure than XP for many reasons including UAC, service
hardening, signed drivers in x64, protected mode IE, integrity levels of
files and applications, user mode vs. kernel mode drivers, locked down ACLs
on system files and registry keys, and more.

This doesn't mean it's invulnerable. With any OS a well planned social
engineering attack will succeed.

Exactly. Social engineering is the number one security threat to
computers.

With all OS' I've worked with a previously unknown bug could be
exploited for malicious use.

The best security has been knowledge of the risks and possible vectors of
attack. A little user training goes a long way when trying to protect a
computer against malware.

Yes.