Security issue with malware on Vista bypasses UAC and sends out SPAM

Discussion in 'Windows Vista Security' started by Grant - CNW, Jan 15, 2008.

  1. Grant - CNW

    Grant - CNW Guest

    I came across this problem in early May 2007... and never found anyone else
    on Microsoft's support/KB site or the Internet... perhaps someone here has
    seen this problem.

    I installed a new PC with Windows Vista Ultimate in May... downloaded all
    the security updates, etc..
    I also had a new Windows SBS 2003 R2 server server, also with the latest
    OS/security updates.
    I created file shares for the USERS and had some that were protected (READ
    and PRIVATE) in addition to READ/WRITE. The permissions worked for the
    other Windows XP clients on the network, however Vista client would receive
    a PERMISSION DENIED pop-up when accessing a folder on the server which they
    could not browse nor write a file into... but then the write operation
    (folder or file) completed! TO MY SURPRISE! Anyone seen this issue? I
    did find some Vista-specific suggested updates for the SBS 2003 R2 server to
    support Vista clients... and this resolved the problem! Yikes! These
    should have been MANDATORY REQUIRED updates... as I fear some SBS servers
    out there may have been compromised by new Vista clients on their network.

    Anyhow... I digress. A few weeks later in May, the user received an email
    that they should not have opened... and the anti-virus software detected it
    and quarantined the virus. All seemed okay... except after a few days the
    Internet connection was saturated... even when no one was using the
    computers in the office. Further investigation of the firewall (Cisco 871W
    router) showed a lot of traffic coming from the Vista client computer. I
    looked at the PC and the network status icon showed no status/traffic. So
    I disabled the network interface. The outbound SPAM being sent stopped
    going through the firewall... and then again 5 minutes later... started
    again. Looking at the Vista client again... the network connection was
    DISABLED... but sending out traffic! UAC was enabled... how could the
    system enable the network connection and send out SPAM? I tested this and
    ensured no other devices were on the network. I soon discovered that the
    SBS server was doing the same thing! I ran different vendor's anti-virus
    tools and scans... nothing was discovered. I found that I physically had
    to disconnect the cabling to prevent the SPAM from going out... disabling
    the network interface was not enough. I was curious why the Cisco router
    was being hammered so much... and then turned off SPI (stateful packet
    inspection)... this seemed to keep the Internet connection stable. What
    I didn't tell you was that is ISP turned off the Internet connection due to
    the SPAMing from our network... and wouldn't re-enable until the problem was
    resolved.

    I ended up formatting and re-installing both systems as they were relatively
    new installs and I wanted a clean installation. To date I have not seen
    this problem again.

    Any ideas as to what might have caused this behaviour?

    I see there are ways to disable UAC from window menus and command line (see
    MSCONFIG tool!)... but they normally require a system re-boot. In this
    case, it was turned off and on at will... and appeared normal if the user
    used the computer. But behind the scenes, controlled the NIC on the Vista
    PC.

    Has anyone seen this? Is it a known problem? Has it been resolved?
     
    Grant - CNW, Jan 15, 2008
    #1
    1. Advertisements

  2. Grant - CNW

    mikeyhsd Guest

    malware/virus/trojans can do weird things.
    sound like you need better virus protection.







    I came across this problem in early May 2007... and never found anyone else
    on Microsoft's support/KB site or the Internet... perhaps someone here has
    seen this problem.

    I installed a new PC with Windows Vista Ultimate in May... downloaded all
    the security updates, etc..
    I also had a new Windows SBS 2003 R2 server server, also with the latest
    OS/security updates.
    I created file shares for the USERS and had some that were protected (READ
    and PRIVATE) in addition to READ/WRITE. The permissions worked for the
    other Windows XP clients on the network, however Vista client would receive
    a PERMISSION DENIED pop-up when accessing a folder on the server which they
    could not browse nor write a file into... but then the write operation
    (folder or file) completed! TO MY SURPRISE! Anyone seen this issue? I
    did find some Vista-specific suggested updates for the SBS 2003 R2 server to
    support Vista clients... and this resolved the problem! Yikes! These
    should have been MANDATORY REQUIRED updates... as I fear some SBS servers
    out there may have been compromised by new Vista clients on their network.

    Anyhow... I digress. A few weeks later in May, the user received an email
    that they should not have opened... and the anti-virus software detected it
    and quarantined the virus. All seemed okay... except after a few days the
    Internet connection was saturated... even when no one was using the
    computers in the office. Further investigation of the firewall (Cisco 871W
    router) showed a lot of traffic coming from the Vista client computer. I
    looked at the PC and the network status icon showed no status/traffic. So
    I disabled the network interface. The outbound SPAM being sent stopped
    going through the firewall... and then again 5 minutes later... started
    again. Looking at the Vista client again... the network connection was
    DISABLED... but sending out traffic! UAC was enabled... how could the
    system enable the network connection and send out SPAM? I tested this and
    ensured no other devices were on the network. I soon discovered that the
    SBS server was doing the same thing! I ran different vendor's anti-virus
    tools and scans... nothing was discovered. I found that I physically had
    to disconnect the cabling to prevent the SPAM from going out... disabling
    the network interface was not enough. I was curious why the Cisco router
    was being hammered so much... and then turned off SPI (stateful packet
    inspection)... this seemed to keep the Internet connection stable. What
    I didn't tell you was that is ISP turned off the Internet connection due to
    the SPAMing from our network... and wouldn't re-enable until the problem was
    resolved.

    I ended up formatting and re-installing both systems as they were relatively
    new installs and I wanted a clean installation. To date I have not seen
    this problem again.

    Any ideas as to what might have caused this behaviour?

    I see there are ways to disable UAC from window menus and command line (see
    MSCONFIG tool!)... but they normally require a system re-boot. In this
    case, it was turned off and on at will... and appeared normal if the user
    used the computer. But behind the scenes, controlled the NIC on the Vista
    PC.

    Has anyone seen this? Is it a known problem? Has it been resolved?
     
    mikeyhsd, Jan 15, 2008
    #2
    1. Advertisements

  3. Grant - CNW

    Kerry Brown Guest


    Once malware is on your system it can do whatever it wants. Even on Vista if
    a user can be tricked into responding to a UAC prompt the malware would have
    free reign. Malware can easily bypass the Windows networking stack and
    access the NIC directly. For the server it could have been malware on the
    server or a misconfigured Exchange server allowing relaying. If you had
    malware on the server then you have to seriously look to find out how it got
    there. SBS is very secure in it's default configuration. You shouldn't be
    using the server for anything but administrative tasks. With SBS 99% of all
    administration should be done with the wizards. SBS is a complicated setup.
    Trying to administer it without the wizards will almost always leave
    something misconfigured and thus vulnerable. You need better anti-malware
    protection. Trend Micro CSM works very well with SBS both on the server and
    the clients.
     
    Kerry Brown, Jan 15, 2008
    #3
  4. Grant - CNW

    Grant - CNW Guest

    I would have thought that Vista, even if compromised, would not allow NIC
    and user interface to be bypassed as it is in control of the hardware and
    operating system at the low-level driver level. Sure, malware can disable
    UAC but normally this requires pop-up window to confirm change with the user
    as well as an OS re-start... this did not occur.

    The SBS 2003 R2 server was completely setup with wizards... nothing was
    circumvented, even file sharing (other than changing security permissions on
    some folders). I suspect it was compromised over the network from the
    infected Vista client... even though it was at the latest security updates
    level.

    Detection and removal of the malware was attempted with AVG, Symantec, Trend
    Micro and Sophos... none of them discovered nor were able to remove the
    problem... hence why I had to re-build.

    Unfortunately, I did not make an image of the infected Vista configuration
    in order to re-test for the malware... or perform further diagnosis.
    Business requirement to get up and running again ASAP was much more
    pressing.

    I guess my concern is that this malware would not have been detected if I
    had not been regularly checking the Internet firewalls logs... and in a
    bigger network would have been more difficult to track down and isolate.
    It did lead to internet connection performance issues as well as client and
    server impacts.

    So what is a hardened approach to protect against this in the future?
    Microsoft Forefront? User training? Multiple malware products? Many
    other suggestions...?
     
    Grant - CNW, Jan 16, 2008
    #4
  5. Grant - CNW

    Kerry Brown Guest

    So what is a hardened approach to protect against this in the future?

    User training is the best defense. Do you have WSUS installed on the SBS
    server? Keeping the clients up to date is the next step in a good defense.
    WSUS is a good solution for Microsoft. You also need to make sure that all
    the other programs on the clients are kept up to date. There are flaws in
    old versions of QuickTime, Adobe Reader, Flash, Java, and many more that
    malware can exploit. If you go to some web sites you can log them trying
    many different exploits for many different programs trying to install
    malware. Sometimes the attacks continue for many minutes after you leave the
    site.

    As far as Vista stopping malware once it's past the first UAC prompt it can
    pretty much do whatever it wants. It could install a root kit A root kit can
    be loaded before Windows. It could easily create it's own network stack
    hidden from Windows.
     
    Kerry Brown, Jan 16, 2008
    #5
  6. "A few weeks later in May, the user received an email that they should
    not have opened"

    Block attachments. They clicked and installed something. UAC won't
    protect you from the end user that clicks and installs.
     
    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP], Jan 19, 2008
    #6
  7. Grant - CNW

    Mr. Arnold Guest

    The machines were compromised, period, and you did the right thing.

    http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
     
    Mr. Arnold, Jan 19, 2008
    #7
  8. Grant - CNW

    Hansjörg Guest

    Hey,

    if a maleware is ever executed as Admin it can simply install services (to
    achive system privelege), take ownership of everything (to overrule the
    trusted installer), disable services & drivers, change firewall settings,
    install new drivers, kill antivirus sofware....
    What's improved Vista compared to XP at all?
    Now - you can not hook into the keyboard and mouse any more, hooking into
    Winlogon has been disabled, sending Windows Messages between different
    security context is not possible any more and much more.
    Yet: as soon as you ever granted someone FULL UNLIMITED ACCESS (that is: he
    is in the hart of your castle behind all of your walls of defence) the
    machine is potentially not yours any more (the castle is lost).
    The only thing to safely recover is
    1.) Unplug the network
    2.) Boot the machine with a indenpend boot CD.
    3.) Wipe the file system (the save way is to lowlevel overwrite clusters)
    4.) Reinstall
    (=burn the castle to the ground an rebuild from scratch).

    hansjörg
     
    Hansjörg, Jan 19, 2008
    #8
  9. Grant - CNW

    Hansjörg Guest

    Excatly. You can NEVER recover from a compromised machine.
    You acted absolutely the right way.
    Furter reading: Protect your Windows Network, Jesper M. Johansson, Steve
    Riley, Addison Wesly ISBN 0-321-33643-7. Pays back every spent Cent with 1$
    saved damage.

    Hansjörg
     
    Hansjörg, Jan 19, 2008
    #9
  10. Grant - CNW

    Grant - CNW Guest

    Interesting. Thanks for the excellent information everyone.
    I guess my concern comes from "perception" versus "reality".

    Companies state that new versions of products are more secure... including
    latest Vista release...
    where the inconvenience of UAC interface and vague information presented are
    touted as "saviours" BUT are not SIMPLE and easy to use and understand... in
    fact are often confusing. To the average user it is an "obstacle" to
    getting the real work done... and should be handled by the operating system.
    Yet if a user makes a simple mistake by opening an malware e-mail with
    PREVIEW on (the crazy default in Outlook 2007, 2003, etc. which I always
    turn off for customers), they are caught with their pants down and pay the
    price! One would expect Windows operating system, internally, would have
    security "heuristics" which look for changes/hacks or repeated operations
    which are perceived as malware attacks... for example, multiple SMTP calls,
    network interface activity, etc.... and based on kept list of security
    changes, disallow the Administrative right granted in error. Windows
    updates and patches, in fact any system changes, should be based on
    confirming identity and authentication of requester, and the core OS should
    be protected... perhaps in a "burned in" firmware or memory device... or
    protected memory/disk areas. Should an Administrator be able to change OS
    files? I don't think so... there is a need for a "super admin" concept...
    which has added security features to manage and protect the OS core.

    People are told and perceive Vista, IE 7, etc are more secure... but there
    will always be something... now or future.
    Really, it is about mitigating risk, user education, and keeping it simple,
    as well as planning for disaster recovery.
    Pervasive security policies and practices.

    ....Grant
     
    Grant - CNW, Jan 20, 2008
    #10
  11. Grant - CNW

    Kerry Brown Guest


    There are no saviors when it comes to security.

    Vista is more secure than XP for many reasons including UAC, service
    hardening, signed drivers in x64, protected mode IE, integrity levels of
    files and applications, user mode vs. kernel mode drivers, locked down ACLs
    on system files and registry keys, and more. This doesn't mean it's
    invulnerable. With any OS a well planned social engineering attack will
    succeed. With all OS' I've worked with a previously unknown bug could be
    exploited for malicious use.

    The best security has been knowledge of the risks and possible vectors of
    attack. A little user training goes a long way when trying to protect a
    computer against malware.
     
    Kerry Brown, Jan 20, 2008
    #11
  12. Grant - CNW

    Alun Jones Guest

    Also, I think, from a desire to find someone else at fault.
    And they are - more secure than the previous versions of the software. That
    doesn't mean they're perfectly secure.
    A lock on the front door of your house is an obstacle to getting the real
    work done, but if you, as the user of that lock, don't keep it locked, and
    don't stop other people from following you in, there's not much the door or
    lock can do.
    Why, because you got in trouble that way this time?

    Microsoft already block multiple half-open connections as one attempt to
    block spam bots. As a result, a spam bot is slowed significantly.

    Are you really going to suggest that the system deny administrative access
    to a process that the administrator has said requires administrative access,
    and is allowed to have administrative access? How reliable is a computer if
    it can ignore what the administrator tells it?
    Sounds like you're describing the TrustedInstaller service, which is the
    only user account allowed to make changes to the OS files... of course, an
    administrator, being an administrator, can override that, by resetting file
    permissions.
    Absolutely.

    Consider the following multi-platform virus:

    "Email this message to all of your friends, then open every one of your data
    files, and delete or change every piece of data within. If you have
    administrative access, format your hard drive."

    How would a system protect automatically against someone who "makes a simple
    mistake" and does what his email tells him to?

    Only by completely preventing that user from doing any of his own work.

    So, as you say, there will always be something.

    In case you're thinking to yourself "nobody would be so dumb", I would
    perhaps have agreed with you some time ago, back when I was sending out my
    software to users in an encrypted zip file. After all, I thought, noone
    would be so dumb as to enter a password to open a zip file they haven't
    requested or aren't expecting.

    I was wrong. Given sufficient incentive - whether the possibility of seeing
    a naked tennis star, or enlarging a personal organ, or becoming instantly
    wealthy in a lottery they never entered - users will throw caution to the
    wind, and do something that if it was described dispassionately to them
    would seem unbelievably stupid.

    The responsibility that you have when using a computer is to pay attention
    to what you are doing, and keep an eye out for danger. As a human, you are
    infinitely more qualified to tell what "danger" might be than a computer is.

    Alun.
    ~~~~
     
    Alun Jones, Jan 21, 2008
    #12
  13. Exactly. Social engineering is the number one security threat to
    computers.
    Yes.
     
    Straight Talk, Jan 22, 2008
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.