Hit or Miss? Vista and Current Threat Survivability
The long anticipated Windows Vista operating system is finally out the door and as anyone would agree, it’s celebration time at Microsoft. But, let’s discuss what we are in for with a peek at the default user environment on the 32-bit platform.
Symantec Advanced Threat Research decided to conduct an analysis of Windows Vista’s security enhancements provided by the user account control (UAC) and resulting new security barriers. No formal requirements were defined, although a few guidelines were set to stay organized; gather a sample set of malicious code, execute them under the default UAC environment, and carefully determine their success. The results were then broken down into three categories:
1) Successful execution of malicious code
2) System restart survivability
3) Failed execution of malicious code, and why
There are two important prerequisites in place to establish fair play practices:
1) All malicious code must be executed under the default UAC environment
2) No malicious code is to be modified to bypass current Vista restrictions
It is important to point out that malicious code was selected by class, but largely at random. The targeted selections are classified as rootkits, Trojans, spyware, mass mailers, etc. All tests were executed under a VMware virtual machine and it is also important to note that some malicious code may intentionally not run under this environment. Several classes of threats were expected to fail, but were included simply for the sake of completeness. In particular, because of UAC, rootkits inevitably fail as do Trojans, which by design try to load drivers or modify system-wide settings.
Analyzing the results
Approximately 2,000 unique instances of malicious code were executed during the life of this project. While relatively simple, the method used for determining whether or not a sample of malicious code was successful was fairly time consuming. Data normalization procedures were required before meaningful results could be retrieved. The logs produced by the tools displayed certain properties that allowed us to extract which executables would run on the system.
On average, about seventy percent of the malicious code executed under Windows Vista loaded successfully and executed without a crash or runtime error. Note that malicious code is always looking to latch on to another process, bind to a local port, or modify system critical files; thus, identifying a successful execution does not indicate it fully compromised the victim host. Out of the seventy percent that were able to execute, only about six percent of the samples were able to accomplish a full compromise and an even smaller number (four percent) were able to survive a reboot. The rest did not execute properly due to incompatibility, unhandled exceptions, or security restrictions.
It was easy to spot why malicious code fails to successfully attack a Vista host. Malicious code authors regularly presume a user is running with administrator privileges and blindly attempt to modify system settings, global user environments (registry keys, shared documents), and even bind to ports with little interference. In Vista, these common tactics are now restricted or virtualized.
It is because of these changes that the implementation of malicious code on Windows Vista will change. Malicious code authors will no longer target the system as a whole, but will be forced to target the user environment to accomplish what they want. Needless to say, the possibilities for infection are still endless. We have seen that malicious code can continue to survive on Windows Vista with relatively minor changes. A large portion of our sample set failed, simply because of unhandled conditions with no alternative code paths and an inability to correctly execute within the confines of Windows Vista’s new security environment. With relatively minor changes (which we did not undertake ourselves), these shortcomings can be resolved and a much larger percentage of malicious code will survive on Windows Vista.
The possibility of an existing threat successfully executing, infecting, and surviving on Vista is still a concern. In fact, the majority of file infectors executed did modify other executables in the user’s directory. This is dangerous if the accounts are shared or if the user decides to share one of the directories that contains infected files.
At first glance, this looks good for Microsoft; however, it is merely the direct result of a new, unknown system ‘cleaning the slate’ and protecting against old malicious code techniques. As we have seen in the past, it will only be a matter of time before attackers become more sophisticated, understand Windows Vista, and adapt to this new platform.