Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Windows Vista susceptible to social engineering attacks – two-step process for having a Trojan piggyback on a legitimate download

May 22nd, 2007 · No Comments ·

We have previously pointed out some of the security problems with Windows Vista, such as:

Windows Vista – problems we know about,

Windows Vista content protection – why it will fail and hurt users in the developing world the most,

Why Microsoft’s Open XML is not an open standard,

CyTRAP Labs advisory – first Windows Vista zero-day exploit in progress, and
Why Windows Vista could become your next security nightmare

Robert Paveza, has uncovered a two-step process for exploiting Windows Vista’s User Account Control, essentially by having a Trojan piggyback on what could be a legitimate download. It works like this:

    a) malware called a proxy infection tool must be downloaded by the unsuspecting user who then runs the program (important is that no elevated priviliges such as being a System Admin user are necessary here). This software will then behave as it should while, most importantly, it sets up a second malicious payload in the background.

In the meantime the the malicious software could create what the author Robert Paveza calls in the paper an ‘executable stub.’ The latter is pointing to a target program that runs at a higher level than what the unsuspecting user downloaded in the first place. The stub could be stored in a place such as the Start menu, where the user would click on it thinking to run the original, legitimate higher-level program such as Word. This in turn leads to the real malicious action to be executed as follows:

    b) the user eventually clicks on the stub, the higher-level program is launched and the malicious software is loaded into the process and run in parallel. By authorizing the higher-level program the user also authorizes the malicious code.

Apparently, a Microsoft spoekperson was quoted as telling the e-Week journalist the following:

    ‘With this in mind, it is important to note that user interaction is required for the initial infection of the Trojan to occur. The user must open the attacker’s malicious executable. Furthermore, the successive social engineering attempt will only be successful if the user inadvertently clicks on the malicious shortcut. In fact, at this point, the user must be part of the local administrator’s group or provide administrator credentials at the UAC prompt.’

But there are three things to keep in mind regarding the point made above by Microsoft:

1) a high percentage of home-users start their PC using the Admin account. The reason is that the idea of having to log out of their lower privilige user account in order to install a new application program on their PC seems too much trouble,

2) it is not very difficult to get an unsuspecting end-user to download an application of the .exe type if they believe that it is a game.

If the user thinks its a game, he or she will most certainly run it once.

3) one can also pilfer the p2p networks by posting something similar to:

– ‘.mp3.exe’

Thousands of unsuspecting users will download the file thinking it contains the music of their favorite artist and voila, thereafter one can just watch the chaos ensue.
Get the paper where Robert Paveza outlines EXACTLY how the exploit works here:

Paveza, Robert (not dated – estimated date = May 15, 2007). User-prompted elevation of unintended code in Windows Vista


Get better information sent to your e-mail in-box to save time and be able to archive these tips and tricks in upcoming weeks. just provide us with your e-mail address below.


→ No CommentsTags: elevation · paveza · prompted · roberto · tricks · unintended · upcoming · _efficiency_