For those of you who don't know orremember, a "companion virus" is a type of computer virus that tookadvantage of MS-DOS's filename matching. The companion virus wouldcreate a program with the same name as the "infected" file, but with adifferent extension, such as .com. For example, to infect a programcalled "innocent.exe," the virus could create one called "innocent.com"that would be, ironically, malicious rather than innocent. Once thevirus had infected innocent.exe, typing "innocent" into the commandline would invoke the first program found alphabetically,"innocent.com." Typically, the virus would execute the real program inaddition to running its payload, so as long as the virus was quickenough, the user wouldn't even know what had happened.
A similar concept is creating a program called "c:\program.exe." Ifthe user executed "c:\program files\innocent\innocent.exe," the program"c:\program.exe" could be run with "files\innocent\innocent.exe" as aparameter. This would be dangerous only on certain parserimplementations.
Rob Paveza, an independent security researcher, has recentlydisclosed a conceptually similar attack against Windows Vista's newUser Access Control (UAC) system. UAC is a layer of protection providedby Vista that notifies a user when an administrative function isperformed. In his paper User-Prompted Elevation of Unintended Code in Windows Vista, posted to the Bugtraq mailing list,Paveza reveals an attack vector that makes use of the Start menu. Usingthis companion virus-style attack, a malware writer could potentiallytrick a user into allowing a malicious program to run with heightenedprivileges.
Paveza’s paper outlines a two-stage attack. The first part isdelivered as a standard Trojan file, sent to the user via email ordownloaded from a website. This part relies on social engineering totrick a user into running the program. This first-stage program, dubbedthe "proxy infection tool", doesn't prompt for elevation, since itwon't make any system-wide changes. Additionally, it may perform theactions that the user expected it to perform, in the classic style ofTrojans. The proxy infection tool sets up the second stage of theattack, which I’ll discuss later.
The attack the researcher outlines involves the construction of theStart menu. A user's Start menu is built from at least two locations.One is the user's Start menu folder and the other is global. These twolocations are merged to create the Start menu that the user sees. Ifthe same shortcut exists in both the user's folder and the globalfolder, the user's is used.
The proxy infection tool, which is run by the user, writes to theuser's Start menu folder and reads from the global Start menu folderwithout requesting elevated permissions. The program searches theglobal Start menu folder for all programs that require elevation, andcreates duplicates in the user's folder that point to the maliciouscode. This is the second stage of the attack.
When the user attempts to run a program that has been duplicated,they see a UAC prompt. Because the program already required elevatedpermission, the user wouldn't be alarmed. The malicious program, withelevated privileges, executes the intended program, fooling the userinto thinking everything is normal. Meanwhile, the malicious programcan clean up any trace that it had piggy-backed, and install itselfsomewhere with permanently-elevated privileges.
In addition to this Start menu attack, another trick is to replacedesktop shortcuts. The user's shortcuts to programs that requireelevation can be hidden by the proxy infection tool, and replaced withshortcuts to the second-stage code. When users run an infected program,they are prompted for UAC elevation. Without realizing that the programis not actually the program they intended to run, the users may givethe program elevated permission. Again, once the program hasadministrator permission, it can clean up any trace of itself andensure it will always have administrator access.
The best way to defend against this attack is with the traditionalmatching and heuristics used by antivirus software. However, this meansthat in these cases, UAC is providing no additional protection. Apossible way to improve the UAC prompt to help users identify thisattack more readily is to use a different prompt when running a programthat has never been run before. This way, a newly-installed Trojan willstand out. Another way to protect users is to show them a specialprompt when they're about to run a program from a user-writabledirectory.