Overclock.net › Forums › Industry News › Software News › [PCWorld]Windows Vista UAC catches Rootkits before they install
New Posts  All Forums:Forum Nav:

[PCWorld]Windows Vista UAC catches Rootkits before they install

post #1 of 44
Thread Starter 
http://www.pcworld.com/businesscente...ests_find.html

Quote:
Love or hate its nagging prompts, Vista's Account Control feature (UAC) has a security feature that marks it out from any other type of Windows security programme -- it can spot rootkits before they install.
This is one finding buried in a report published in two German computer magazines some months ago after testing by the respected AV-Test.org, which set out to find out how well antivirus programs fared against known rootkits.
The answer was not particularly well at all, either for Windows XP, or Vista-oriented products. Of 30 rootkits thrown at XP anti-malware scanners, none of the seven AV suites found all 30, a similar story to the six web-based scanners assessed. Only four of the 14 specialized anti-rootkit tools managed a perfect score.
Best Protection


The best of the all-purpose suites was Avira AntiVir Premium Security Suite, which found 29 active rootkits, with Norton finding as few as 18. The anti-rootkit tools fared better, with AVG Anti-Rootkit Free, GMER, Rootkit Unhooker LE, and Trend Micro Rootkit Buster achieving perfect scores. The scores for removal were patchy, however, with all failing to remove any of the rootkits they had found.
The results for Vista products were harder to assess because only six rootkits could run on the OS, but the testers had to turn off UAC to get even this far. Vista's UAC itself spotted everything thrown in front of it.
Only three of the 17 AV tools for Vista managed to both detect and successfully remove them, F-Secure Anti-Virus 2008, Panda Security Antivirus 2008, and Norton Antivirus 2008.
Once on a PC, rootkits can bury themselves quietly, but they have to get to that point first. As long as users interpret prompts from the UAC system attentively, or those messages haven't in some way been spoofed, rootkits struggle to jump to the PC without drawing attention to themselves.
That UAC can tell a user when a rootkit is trying to install itself is not in itself surprising, as Vista is supposedly engineered from the ground up to intercept all applications requests of any significance.
Danger of Rootkits


Rootkits matter. By their nature, they set out to bypass the operating system. Once installed, they can do whatever they like, including loading other malware from a position of privilege. The question is, how can one be sure that a scanner is spotting a type of program built on the principle of extreme stealth?
An interesting footnote to the XP rootkit testing was that the samples chosen included three 'professsional' rootkits, apparently legitimate programs designed to enforce things such as copy protection. The most infamous example of this category included is the Sony XCP/First4Internet rootkit, which caused the company so much embarrassment when it was discovered in 2005.
But in a period of weeks when Vista has received criticism for its rate of vulnerabilities, Microsoft's programmers can at least point to evidence that UAC is efficient at stopping those infections from happening automatically.
Sunfire
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 @3.1 ASUS P5B Galaxy 8800gt 512 4gb g skill pc8000+ 4gb 6400 ballistix 
Hard DriveOptical DriveOSMonitor
500gb+640gb LG super multi Vista home premium 64bit Dell S2309W 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX520 Antec P182 G5 
Mouse Pad
Steelseries pad 
  hide details  
Reply
Sunfire
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6300 @3.1 ASUS P5B Galaxy 8800gt 512 4gb g skill pc8000+ 4gb 6400 ballistix 
Hard DriveOptical DriveOSMonitor
500gb+640gb LG super multi Vista home premium 64bit Dell S2309W 
KeyboardPowerCaseMouse
Logitech G15 Corsair HX520 Antec P182 G5 
Mouse Pad
Steelseries pad 
  hide details  
Reply
post #2 of 44
Vista ftw!

B-b-b-but I thought UAC was worthless right?

post #3 of 44
Vista = WIN.
Even though I disabled UAC lol
post #4 of 44
I would rather deal with rootkits than deal with UAC up my butt every time I install\\change something.
    
CPUMotherboardGraphicsRAM
Q9550 EVGA 790i Ultra Sli 775 Visiontek 4870x2 OCZ Fatal1ty Edition DDR3 8GB (2 x 2GB)x2 
Hard DriveOSMonitorKeyboard
Raptor X 150GB;2x WD 200GB;WD 250GB;WD 36GB Raptor Windows Vista™ Ultimate x64 Acer 24" LCD Logitech G15 Keyboard 
PowerCaseMouseMouse Pad
Enermax Galaxy 1000W Lian Li Cube Case (Modded Big Time) Logitech G5 Mouse Bf2142 Edition Desk 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Q9550 EVGA 790i Ultra Sli 775 Visiontek 4870x2 OCZ Fatal1ty Edition DDR3 8GB (2 x 2GB)x2 
Hard DriveOSMonitorKeyboard
Raptor X 150GB;2x WD 200GB;WD 250GB;WD 36GB Raptor Windows Vista™ Ultimate x64 Acer 24" LCD Logitech G15 Keyboard 
PowerCaseMouseMouse Pad
Enermax Galaxy 1000W Lian Li Cube Case (Modded Big Time) Logitech G5 Mouse Bf2142 Edition Desk 
  hide details  
Reply
post #5 of 44
This is not that surprising. The fact is that Windows apps have traditionally had too much power, M$ are trying to stop that.

Look at Linux, one of the reasons it's secure is because code is generally well written and doesn't request root when it doesn't need it.

Running Windows XP is like running in root all of the time, UAC is basically Microsoft's answer to Sudo.

One of the few good things M$ have done.
Shinobu
(16 items)
 
Nodoka
(16 items)
 
Index
(4 items)
 
CPUMotherboardGraphicsRAM
Intel Core i5-3570K Asus P8Z77-I Deluxe HD6450 Flex Crucial 16GB (2x 8GB) Ballistix Elite 
Hard DriveHard DriveOSMonitor
Samsung SSD 840 EVO 250GB TOSHIBA DT01ACA300 Arch Linux Dell UltraSharp U2713HM 
MonitorMonitorKeyboardPower
Dell U2410 Dell 2407WFP Cherry - Cherry Blue Switches (Unlabeled keys) Seasonic X-650 
CaseMouseAudioAudio
BitFenix Prodigy Black Logitech M570 Trackball Sennheiser HD595 Creative GigaWorks T20 
CPUMotherboardGraphicsRAM
Intel Core i5 3570K Zotac Z77-ITX WiFi EVGA 680 GTX Samsung 
Hard DriveHard DriveOSMonitor
Samsung 256GB 830 Samsung SpinPoint HD501LJ Windows 7 Dell U2410 
MonitorMonitorKeyboardCase
Dell 2407WFP Dell E248WFP Cherry Black (MX Blue Switches, Blank Keys) Silverstone Sugi SG08B 
MouseAudioAudio
Logitech Trackman Logitech Z-5500 Sennheiser HD595s 
CPUMotherboardRAMHard Drive
AMD Athlon II X2 240e Asus M5A78L-M/USB3 Crucial 8GB (2x4GB) DDR3 1600Mhz Ballistix Sport 1.5TB Hard Drives 
  hide details  
Reply
Shinobu
(16 items)
 
Nodoka
(16 items)
 
Index
(4 items)
 
CPUMotherboardGraphicsRAM
Intel Core i5-3570K Asus P8Z77-I Deluxe HD6450 Flex Crucial 16GB (2x 8GB) Ballistix Elite 
Hard DriveHard DriveOSMonitor
Samsung SSD 840 EVO 250GB TOSHIBA DT01ACA300 Arch Linux Dell UltraSharp U2713HM 
MonitorMonitorKeyboardPower
Dell U2410 Dell 2407WFP Cherry - Cherry Blue Switches (Unlabeled keys) Seasonic X-650 
CaseMouseAudioAudio
BitFenix Prodigy Black Logitech M570 Trackball Sennheiser HD595 Creative GigaWorks T20 
CPUMotherboardGraphicsRAM
Intel Core i5 3570K Zotac Z77-ITX WiFi EVGA 680 GTX Samsung 
Hard DriveHard DriveOSMonitor
Samsung 256GB 830 Samsung SpinPoint HD501LJ Windows 7 Dell U2410 
MonitorMonitorKeyboardCase
Dell 2407WFP Dell E248WFP Cherry Black (MX Blue Switches, Blank Keys) Silverstone Sugi SG08B 
MouseAudioAudio
Logitech Trackman Logitech Z-5500 Sennheiser HD595s 
CPUMotherboardRAMHard Drive
AMD Athlon II X2 240e Asus M5A78L-M/USB3 Crucial 8GB (2x4GB) DDR3 1600Mhz Ballistix Sport 1.5TB Hard Drives 
  hide details  
Reply
post #6 of 44
Quote:
Originally Posted by lattyware View Post
UAC is basically Microsoft's answer to Sudo.
That's why Linux is annoying as hell then.
post #7 of 44
thats actually nice to hear about the uac
Dev0
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II x6 1090T @ 3.8 GHz ASUS M4A78-E 790GX PowerColor HD Radeon 7850 2 GB 2x4 GB DDR2 800 
Hard DriveOptical DriveOSMonitor
Crucial M500 240 GB SSD Samsung Super WriteMaster DVD Burner 20x Windows 10 Pro x64 ASUS VH226H 21.5" 
KeyboardPowerCaseMouse
Logitech PC Power & Cooling 500W Antec Three Hundred Modded Microsoft 3-Button Mouse 
Mouse Pad
Cheap Soft Mousepad 
  hide details  
Reply
Dev0
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II x6 1090T @ 3.8 GHz ASUS M4A78-E 790GX PowerColor HD Radeon 7850 2 GB 2x4 GB DDR2 800 
Hard DriveOptical DriveOSMonitor
Crucial M500 240 GB SSD Samsung Super WriteMaster DVD Burner 20x Windows 10 Pro x64 ASUS VH226H 21.5" 
KeyboardPowerCaseMouse
Logitech PC Power & Cooling 500W Antec Three Hundred Modded Microsoft 3-Button Mouse 
Mouse Pad
Cheap Soft Mousepad 
  hide details  
Reply
post #8 of 44
Don't other OSes have UAC-like features?
I know OSX requires you to enter the admin password for installing apps and modifying system-wide settings.
post #9 of 44
"The results for Vista products were harder to assess because only six rootkits could run on the OS, but the testers had to turn off UAC to get even this far"

I love that part, even if you turn UAC off it is still a formidable foe for rootkits.
D
(15 items)
 
The Sheep Skinner
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 6700 Gigabyte Z170N-Gaming5 Sapphire Radeon R9 Fury Tri-X 3840 G.Skill TridentZ  
Hard DriveCoolingCoolingCooling
960 EVO 500GB EK SE 240mm, Magicool slim 240mm EK Supreme HF CU Gold EKFC-Fury X WB 
OSMonitorPowerCase
Win 10 Pro Acer XG270HU EVGA 750W  Evolv ITX 
MouseMouse Pad
Naos7000 Corsair MM600 
CPUMotherboardGraphicsRAM
C2D E8400 DFI LT P35 Radeon HD4890 OCZ 2GB 800MHz 
Hard DriveOptical DriveOSMonitor
500GB Asus multi DVD W7 U Samsung 2232BW+ 
PowerCase
Corsair HX520W CM 690 
  hide details  
Reply
D
(15 items)
 
The Sheep Skinner
(13 items)
 
 
CPUMotherboardGraphicsRAM
Intel i7 6700 Gigabyte Z170N-Gaming5 Sapphire Radeon R9 Fury Tri-X 3840 G.Skill TridentZ  
Hard DriveCoolingCoolingCooling
960 EVO 500GB EK SE 240mm, Magicool slim 240mm EK Supreme HF CU Gold EKFC-Fury X WB 
OSMonitorPowerCase
Win 10 Pro Acer XG270HU EVGA 750W  Evolv ITX 
MouseMouse Pad
Naos7000 Corsair MM600 
CPUMotherboardGraphicsRAM
C2D E8400 DFI LT P35 Radeon HD4890 OCZ 2GB 800MHz 
Hard DriveOptical DriveOSMonitor
500GB Asus multi DVD W7 U Samsung 2232BW+ 
PowerCase
Corsair HX520W CM 690 
  hide details  
Reply
post #10 of 44
Quote:
Originally Posted by igob8a View Post
Don't other OSes have UAC-like features?
I know OSX requires you to enter the admin password for installing apps and modifying system-wide settings.
OSX requires authentication for creating or modifying system files, or basically making system-wide changes.

Installing apps doesn't require authentication (unless you're doing it through the installer, which is NOT most of the time; most of the time it's drag-and-drop), but if the app were to try and make system changes, authentication would be required.

But yes, most OSs now have separate user and root accounts. Lack of this was the problem with XP and everything before it for a long time.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Software News
Overclock.net › Forums › Industry News › Software News › [PCWorld]Windows Vista UAC catches Rootkits before they install