No, LUA still leaves computers vulnerable from drive-by download attacks that steal password/credentials, copy data records and documents, destroy files, ransom user content, serve as an attack platform inside an enterprise firewall, and serve as one of thousands of other computers as part of a Botnet. LUA just makes it more difficult for attackers to burrow their malware so deep into a computer (i.e., rootkit) that it may never be detected.

What is a Drive-by Download Attack?

As someone recently said, “you can’t have an exploit without a vulnerability”. There must be a vulnerability in some software application in use on a PC for it to be successfully attacked via a virus, worm, or other malware attack. The vulnerability is a programming mistake by the vendor that made the software that enables an attacker to coerce the software into doing something harmful to the endpoint.

In the case of a drive-by download attack, the INITIAL harmful action is forcing the attacked software application to:

1. Download another software application from the Internet
2. Place it somewhere in user-space (will define this below)
3. Launch this other software application

This other software application is often the first of many different software applications that ultimately land on an attacked machine. The security community calls this a “drive-by download attack” when it can be implemented without tricking the end-user into doing something to enable it. Sloppy drive-by download attacks are noticed by end-users. Good ones are perfectly invisible to the ordinary end-user; the end-user has no idea how it occurred.

What is a Limited User Account (LUA)?

Before defining LUA, let’s clear something up. When a person has to enter a password to use their computer, there’s either a user name explicitly visible (maybe it must be entered or selected) or implicitly implied (as a convenience, one might choose to not have to enter or choose a user ID each time one uses a computer). Each user name and password combination is an account. There may be many user accounts per computer. There may be different accounts for different people: different login names and passwords. Or, there may be different accounts that have different privileges on the computer: an account for administering (installing/updating software, configuring it, and defining user accounts) the computer and one or more for just using it.

A limited user account has fewer privileges than an account with local admin rights. This is a good thing! Any software launched by the user inherits the privileges associated with the user account used for login. So, when Internet Explorer is running for a LUA user, the operating system does not allow Internet Explorer to perform write operations to critical parts of the operating system. However, when Internet Explorer is running for a user with local admin rights, Internet Explorer may add or alter files anywhere in the endpoint, including critical parts of the operating system. New operating systems try to discourage home users from using their computer on a daily basis with an administrative account to reduce security risks. Enterprises do so likewise but many don’t (another blog post perhaps).

What is User-Space?

I didn’t want to define user-space before defining LUA. User-space consists of all of the folders (i.e., directories) in a computer where a LUA end-user and her software applications may add or modify files. In Windows, these include “My Documents”, “Desktop”, extra hard drives/partitions, and some others. With LUA in Windows, nothing may be added to or modified within “Program Files” and “Windows”, for example.

The term user-space is important. For cyber criminals to infest a computer, they must coerce a software application with programming flaws into adding or modifying files on the target computer. Most commonly, this means placing at least one software application somewhere on the hard drive.

With anywhere from one-third to two-thirds of computers today running via a limited user account, the hijacked software application would be unable to place files into “Program Files” or “Windows”. So, the first choice of where to try to place the initial software application from the attacker is to place it somewhere in user-space, where the write operation is certain to succeed. After that malicious software application starts running in user-space, it might check to see if it can write into “Program Files” or “Windows” and then adjust accordingly. Regardless, user-space is usually the initial landing place for the attacker’s malicious software. Consequently, security software and users should be very vigilant about any software residing there because most legitimate software resides in “Program Files” (Google Chrome is one of quite a few exceptions).

Are Computers Running via LUA Safe from a Drive-by Download Attack?

No. For example, if a programming mistake in Internet Explorer is exploited, such as the Microsoft Video ActiveX control under attack summer 2009, LUA does NOT prevent the “hijacked” Internet Explorer from downloading and placing an attacker’s malicious software application into “My Documents” and launching it.

If this software is allowed to launch, it can eavesdrop on all mouse-clicks and keyboard entries, steal user-ID’s and passwords, copy credit card numbers and valuable documents such as tax returns, and more. The ‘more’ gets pretty awful pretty fast, LUA would allow Internet Explorer or the attacker’s malicious software to add an entry to the Windows Registry (HK Current User / Run) that causes this malicious software to be automatically launched whenever Windows launches.

There’s far too much to enumerate in this blog entry. Suffice it to say, if the malicious software is allowed to run in user-space, it will continue to do so, and it will try to do even more harmful things. LUA just makes it more difficult for the attacker to burrow so deep into the computer that it becomes practically invisible.

AppGuard and AppGuard Enterprise Plus Snuff-Out Drive-by Download Attacks

Quite simply, AppGuard and AppGuard Enterprise Plus client security software do not trust the applications that run on computers. Consequently, they “Guard” the applications legitimately installed in “Program Files” and they prevent any software executable from launching at all if it is located in user-space. “Guarding” applications means that they are not allowed to do harmful things but otherwise leaves them alone.

As noted earlier, some legitimate applications run from user-space such as Google Chrome and GotoMeeting. AppGuard and AppGuard Enterprise Plus will not let them run at all unless they are added to the “Guard List”. In effect, this means that unknown software is now allowed to run from user-space.

These protections and more defeat the vast majority of malware attacks but at a fraction of the effort of other security products.

Posted: Friday, July 10th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback