Hit or Miss? Vista and Current Threat Survivability
The long anticipated Windows Vistaoperating system is finally out the door and as anyone would agree,it’s celebration time at Microsoft. But, let’s discuss what we are infor with a peek at the default user environment on the 32-bit platform.
Symantec Advanced Threat Research decided to conduct an analysis ofWindows Vista’s security enhancements provided by the user accountcontrol (UAC) and resulting new security barriers. No formalrequirements were defined, although a few guidelines were set to stayorganized; gather a sample set of malicious code, execute them underthe default UAC environment, and carefully determine their success. Theresults were then broken down into three categories:
1) Successful execution of malicious code
2) System restart survivability
3) Failed execution of malicious code, and why
There are two important prerequisites in place to establish fair play practices:
1) All malicious code must be executed under the default UAC environment
2) No malicious code is to be modified to bypass current Vista restrictions
It is important to point out that malicious code was selected byclass, but largely at random. The targeted selections are classified asrootkits, Trojans, spyware, mass mailers, etc. All tests were executedunder a VMware virtual machine and it is also important to note thatsome malicious code may intentionally not run under this environment.Several classes of threats were expected to fail, but were includedsimply for the sake of completeness. In particular, because of UAC,rootkits inevitably fail as do Trojans, which by design try to loaddrivers or modify system-wide settings.
Analyzing the results
Approximately 2,000 unique instances of malicious code were executedduring the life of this project. While relatively simple, the methodused for determining whether or not a sample of malicious code wassuccessful was fairly time consuming. Data normalization procedureswere required before meaningful results could be retrieved. The logsproduced by the tools displayed certain properties that allowed us toextract which executables would run on the system.
On average, about seventy percent of the malicious code executedunder Windows Vista loaded successfully and executed without a crash orruntime error. Note that malicious code is always looking to latch onto another process, bind to a local port, or modify system criticalfiles; thus, identifying a successful execution does not indicate itfully compromised the victim host. Out of the seventy percent that wereable to execute, only about six percent of the samples were able toaccomplish a full compromise and an even smaller number (four percent)were able to survive a reboot. The rest did not execute properly due toincompatibility, unhandled exceptions, or security restrictions.
It was easy to spot why malicious code fails to successfully attacka Vista host. Malicious code authors regularly presume a user isrunning with administrator privileges and blindly attempt to modifysystem settings, global user environments (registry keys, shareddocuments), and even bind to ports with little interference. In Vista,these common tactics are now restricted or virtualized.
It is because of these changes that the implementation of maliciouscode on Windows Vista will change. Malicious code authors will nolonger target the system as a whole, but will be forced to target theuser environment to accomplish what they want. Needless to say, thepossibilities for infection are still endless. We have seen thatmalicious code can continue to survive on Windows Vista with relativelyminor changes. A large portion of our sample set failed, simply becauseof unhandled conditions with no alternative code paths and an inabilityto correctly execute within the confines of Windows Vista’s newsecurity environment. With relatively minor changes (which we did notundertake ourselves), these shortcomings can be resolved and a muchlarger percentage of malicious code will survive on Windows Vista.
The possibility of an existing threat successfully executing,infecting, and surviving on Vista is still a concern. In fact, themajority of file infectors executed did modify other executables in theuser’s directory. This is dangerous if the accounts are shared or ifthe user decides to share one of the directories that contains infectedfiles.
At first glance, this looks good for Microsoft; however, it ismerely the direct result of a new, unknown system ‘cleaning the slate’and protecting against old malicious code techniques. As we have seenin the past, it will only be a matter of time before attackers becomemore sophisticated, understand Windows Vista, and adapt to this newplatform.