Security issue with malware on Vista bypasses UAC and sends out SPAM

Posted: 01-15-2008, 05:31 AM
I came across this problem in early May 2007... and never found anyone else
on Microsoft's support/KB site or the Internet... perhaps someone here has
seen this problem.

I installed a new PC with Windows Vista Ultimate in May... downloaded all
the security updates, etc..
I also had a new Windows SBS 2003 R2 server server, also with the latest
OS/security updates.
I created file shares for the USERS and had some that were protected (READ
and PRIVATE) in addition to READ/WRITE. The permissions worked for the
other Windows XP clients on the network, however Vista client would receive
a PERMISSION DENIED pop-up when accessing a folder on the server which they
could not browse nor write a file into... but then the write operation
(folder or file) completed! TO MY SURPRISE! Anyone seen this issue? I
did find some Vista-specific suggested updates for the SBS 2003 R2 server to
support Vista clients... and this resolved the problem! Yikes! These
should have been MANDATORY REQUIRED updates... as I fear some SBS servers
out there may have been compromised by new Vista clients on their network.

Anyhow... I digress. A few weeks later in May, the user received an email
that they should not have opened... and the anti-virus software detected it
and quarantined the virus. All seemed okay... except after a few days the
Internet connection was saturated... even when no one was using the
computers in the office. Further investigation of the firewall (Cisco 871W
router) showed a lot of traffic coming from the Vista client computer. I
looked at the PC and the network status icon showed no status/traffic. So
I disabled the network interface. The outbound SPAM being sent stopped
going through the firewall... and then again 5 minutes later... started
again. Looking at the Vista client again... the network connection was
DISABLED... but sending out traffic! UAC was enabled... how could the
system enable the network connection and send out SPAM? I tested this and
ensured no other devices were on the network. I soon discovered that the
SBS server was doing the same thing! I ran different vendor's anti-virus
tools and scans... nothing was discovered. I found that I physically had
to disconnect the cabling to prevent the SPAM from going out... disabling
the network interface was not enough. I was curious why the Cisco router
was being hammered so much... and then turned off SPI (stateful packet
inspection)... this seemed to keep the Internet connection stable. What
I didn't tell you was that is ISP turned off the Internet connection due to
the SPAMing from our network... and wouldn't re-enable until the problem was
resolved.

I ended up formatting and re-installing both systems as they were relatively
new installs and I wanted a clean installation. To date I have not seen
this problem again.

Any ideas as to what might have caused this behaviour?

I see there are ways to disable UAC from window menus and command line (see
MSCONFIG tool!)... but they normally require a system re-boot. In this
case, it was turned off and on at will... and appeared normal if the user
used the computer. But behind the scenes, controlled the NIC on the Vista
PC.

Has anyone seen this? Is it a known problem? Has it been resolved?


Security issue with malware on Vista bypasses UAC and sends out SPAM


Responses to "Security issue with malware on Vista bypasses UAC and sends out SPAM"

mikeyhsd
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-15-2008, 02:53 PM
malware/virus/trojans can do weird things.
sound like you need better virus protection.



[email protected]



"Grant - CNW" <[email protected]> wrote in message news:[email protected]..
I came across this problem in early May 2007... and never found anyone else
on Microsoft's support/KB site or the Internet... perhaps someone here has
seen this problem.

I installed a new PC with Windows Vista Ultimate in May... downloaded all
the security updates, etc..
I also had a new Windows SBS 2003 R2 server server, also with the latest
OS/security updates.
I created file shares for the USERS and had some that were protected (READ
and PRIVATE) in addition to READ/WRITE. The permissions worked for the
other Windows XP clients on the network, however Vista client would receive
a PERMISSION DENIED pop-up when accessing a folder on the server which they
could not browse nor write a file into... but then the write operation
(folder or file) completed! TO MY SURPRISE! Anyone seen this issue? I
did find some Vista-specific suggested updates for the SBS 2003 R2 server to
support Vista clients... and this resolved the problem! Yikes! These
should have been MANDATORY REQUIRED updates... as I fear some SBS servers
out there may have been compromised by new Vista clients on their network.

Anyhow... I digress. A few weeks later in May, the user received an email
that they should not have opened... and the anti-virus software detected it
and quarantined the virus. All seemed okay... except after a few days the
Internet connection was saturated... even when no one was using the
computers in the office. Further investigation of the firewall (Cisco 871W
router) showed a lot of traffic coming from the Vista client computer. I
looked at the PC and the network status icon showed no status/traffic. So
I disabled the network interface. The outbound SPAM being sent stopped
going through the firewall... and then again 5 minutes later... started
again. Looking at the Vista client again... the network connection was
DISABLED... but sending out traffic! UAC was enabled... how could the
system enable the network connection and send out SPAM? I tested this and
ensured no other devices were on the network. I soon discovered that the
SBS server was doing the same thing! I ran different vendor's anti-virus
tools and scans... nothing was discovered. I found that I physically had
to disconnect the cabling to prevent the SPAM from going out... disabling
the network interface was not enough. I was curious why the Cisco router
was being hammered so much... and then turned off SPI (stateful packet
inspection)... this seemed to keep the Internet connection stable. What
I didn't tell you was that is ISP turned off the Internet connection due to
the SPAMing from our network... and wouldn't re-enable until the problem was
resolved.

I ended up formatting and re-installing both systems as they were relatively
new installs and I wanted a clean installation. To date I have not seen
this problem again.

Any ideas as to what might have caused this behaviour?

I see there are ways to disable UAC from window menus and command line (see
MSCONFIG tool!)... but they normally require a system re-boot. In this
case, it was turned off and on at will... and appeared normal if the user
used the computer. But behind the scenes, controlled the NIC on the Vista
PC.

Has anyone seen this? Is it a known problem? Has it been resolved?


Kerry Brown
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-15-2008, 03:23 PM
"Grant - CNW" <[email protected]> wrote in message
news:[email protected]..
>I came across this problem in early May 2007... and never found anyone else
>on Microsoft's support/KB site or the Internet... perhaps someone here has
>seen this problem.
>
> I installed a new PC with Windows Vista Ultimate in May... downloaded all
> the security updates, etc..
> I also had a new Windows SBS 2003 R2 server server, also with the latest
> OS/security updates.
> I created file shares for the USERS and had some that were protected (READ
> and PRIVATE) in addition to READ/WRITE. The permissions worked for the
> other Windows XP clients on the network, however Vista client would
> receive a PERMISSION DENIED pop-up when accessing a folder on the server
> which they could not browse nor write a file into... but then the write
> operation (folder or file) completed! TO MY SURPRISE! Anyone seen this
> issue? I did find some Vista-specific suggested updates for the SBS 2003
> R2 server to support Vista clients... and this resolved the problem!
> Yikes! These should have been MANDATORY REQUIRED updates... as I fear
> some SBS servers out there may have been compromised by new Vista clients
> on their network.
>
> Anyhow... I digress. A few weeks later in May, the user received an
> email that they should not have opened... and the anti-virus software
> detected it and quarantined the virus. All seemed okay... except after a
> few days the Internet connection was saturated... even when no one was
> using the computers in the office. Further investigation of the firewall
> (Cisco 871W router) showed a lot of traffic coming from the Vista client
> computer. I looked at the PC and the network status icon showed no
> status/traffic. So I disabled the network interface. The outbound SPAM
> being sent stopped going through the firewall... and then again 5 minutes
> later... started again. Looking at the Vista client again... the network
> connection was DISABLED... but sending out traffic! UAC was enabled...
> how could the system enable the network connection and send out SPAM? I
> tested this and ensured no other devices were on the network. I soon
> discovered that the SBS server was doing the same thing! I ran different
> vendor's anti-virus tools and scans... nothing was discovered. I found
> that I physically had to disconnect the cabling to prevent the SPAM from
> going out... disabling the network interface was not enough. I was
> curious why the Cisco router was being hammered so much... and then turned
> off SPI (stateful packet inspection)... this seemed to keep the Internet
> connection stable. What I didn't tell you was that is ISP turned off
> the Internet connection due to the SPAMing from our network... and
> wouldn't re-enable until the problem was resolved.
>
> I ended up formatting and re-installing both systems as they were
> relatively new installs and I wanted a clean installation. To date I
> have not seen this problem again.
>
> Any ideas as to what might have caused this behaviour?
>
> I see there are ways to disable UAC from window menus and command line
> (see MSCONFIG tool!)... but they normally require a system re-boot. In
> this case, it was turned off and on at will... and appeared normal if the
> user used the computer. But behind the scenes, controlled the NIC on the
> Vista PC.
>
> Has anyone seen this? Is it a known problem? Has it been resolved?
>
>

Once malware is on your system it can do whatever it wants. Even on Vista if
a user can be tricked into responding to a UAC prompt the malware would have
free reign. Malware can easily bypass the Windows networking stack and
access the NIC directly. For the server it could have been malware on the
server or a misconfigured Exchange server allowing relaying. If you had
malware on the server then you have to seriously look to find out how it got
there. SBS is very secure in it's default configuration. You shouldn't be
using the server for anything but administrative tasks. With SBS 99% of all
administration should be done with the wizards. SBS is a complicated setup.
Trying to administer it without the wizards will almost always leave
something misconfigured and thus vulnerable. You need better anti-malware
protection. Trend Micro CSM works very well with SBS both on the server and
the clients.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca/phpBB2/



Grant - CNW
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-16-2008, 03:32 PM
I would have thought that Vista, even if compromised, would not allow NIC
and user interface to be bypassed as it is in control of the hardware and
operating system at the low-level driver level. Sure, malware can disable
UAC but normally this requires pop-up window to confirm change with the user
as well as an OS re-start... this did not occur.

The SBS 2003 R2 server was completely setup with wizards... nothing was
circumvented, even file sharing (other than changing security permissions on
some folders). I suspect it was compromised over the network from the
infected Vista client... even though it was at the latest security updates
level.

Detection and removal of the malware was attempted with AVG, Symantec, Trend
Micro and Sophos... none of them discovered nor were able to remove the
problem... hence why I had to re-build.

Unfortunately, I did not make an image of the infected Vista configuration
in order to re-test for the malware... or perform further diagnosis.
Business requirement to get up and running again ASAP was much more
pressing.

I guess my concern is that this malware would not have been detected if I
had not been regularly checking the Internet firewalls logs... and in a
bigger network would have been more difficult to track down and isolate.
It did lead to internet connection performance issues as well as client and
server impacts.

So what is a hardened approach to protect against this in the future?
Microsoft Forefront? User training? Multiple malware products? Many
other suggestions...?


Kerry Brown
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-16-2008, 04:55 PM
> So what is a hardened approach to protect against this in the future?
> Microsoft Forefront? User training? Multiple malware products? Many
> other suggestions...?
>
>

User training is the best defense. Do you have WSUS installed on the SBS
server? Keeping the clients up to date is the next step in a good defense.
WSUS is a good solution for Microsoft. You also need to make sure that all
the other programs on the clients are kept up to date. There are flaws in
old versions of QuickTime, Adobe Reader, Flash, Java, and many more that
malware can exploit. If you go to some web sites you can log them trying
many different exploits for many different programs trying to install
malware. Sometimes the attacks continue for many minutes after you leave the
site.

As far as Vista stopping malware once it's past the first UAC prompt it can
pretty much do whatever it wants. It could install a root kit A root kit can
be loaded before Windows. It could easily create it's own network stack
hidden from Windows.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca/phpBB2/



Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends outSPAM
Posted: 01-19-2008, 08:59 AM
"A few weeks later in May, the user received an email that they should
not have opened"

Block attachments. They clicked and installed something. UAC won't
protect you from the end user that clicks and installs.

Kerry Brown wrote:
>> So what is a hardened approach to protect against this in the future?
>> Microsoft Forefront? User training? Multiple malware products?
>> Many other suggestions...?
>>
>>
>
>
> User training is the best defense. Do you have WSUS installed on the SBS
> server? Keeping the clients up to date is the next step in a good
> defense. WSUS is a good solution for Microsoft. You also need to make
> sure that all the other programs on the clients are kept up to date.
> There are flaws in old versions of QuickTime, Adobe Reader, Flash, Java,
> and many more that malware can exploit. If you go to some web sites you
> can log them trying many different exploits for many different programs
> trying to install malware. Sometimes the attacks continue for many
> minutes after you leave the site.
>
> As far as Vista stopping malware once it's past the first UAC prompt it
> can pretty much do whatever it wants. It could install a root kit A root
> kit can be loaded before Windows. It could easily create it's own
> network stack hidden from Windows.
>
Mr. Arnold
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-19-2008, 09:37 AM

"Grant - CNW" <[email protected]> wrote in message
news:[email protected]..
>
> I ended up formatting and re-installing both systems as they were
> relatively new installs and I wanted a clean installation. To date I
> have not seen this problem again.
>
> Any ideas as to what might have caused this behaviour?
The machines were compromised, period, and you did the right thing.

http://www.microsoft.com/technet/com...mt/sm0504.mspx

Hansjörg
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-19-2008, 10:41 AM
Hey,

if a maleware is ever executed as Admin it can simply install services (to
achive system privelege), take ownership of everything (to overrule the
trusted installer), disable services & drivers, change firewall settings,
install new drivers, kill antivirus sofware....
What's improved Vista compared to XP at all?
Now - you can not hook into the keyboard and mouse any more, hooking into
Winlogon has been disabled, sending Windows Messages between different
security context is not possible any more and much more.
Yet: as soon as you ever granted someone FULL UNLIMITED ACCESS (that is: he
is in the hart of your castle behind all of your walls of defence) the
machine is potentially not yours any more (the castle is lost).
The only thing to safely recover is
1.) Unplug the network
2.) Boot the machine with a indenpend boot CD.
3.) Wipe the file system (the save way is to lowlevel overwrite clusters)
4.) Reinstall
(=burn the castle to the ground an rebuild from scratch).

hansjörg

"Grant - CNW" <[email protected]> schrieb im Newsbeitrag
news:[email protected]..
> I would have thought that Vista, even if compromised, would not allow NIC
> and user interface to be bypassed as it is in control of the hardware and
> operating system at the low-level driver level. Sure, malware can
> disable UAC but normally this requires pop-up window to confirm change
> with the user as well as an OS re-start... this did not occur.
>
> The SBS 2003 R2 server was completely setup with wizards... nothing was
> circumvented, even file sharing (other than changing security permissions
> on some folders). I suspect it was compromised over the network from the
> infected Vista client... even though it was at the latest security updates
> level.
>
> Detection and removal of the malware was attempted with AVG, Symantec,
> Trend Micro and Sophos... none of them discovered nor were able to remove
> the problem... hence why I had to re-build.
>
> Unfortunately, I did not make an image of the infected Vista configuration
> in order to re-test for the malware... or perform further diagnosis.
> Business requirement to get up and running again ASAP was much more
> pressing.
>
> I guess my concern is that this malware would not have been detected if I
> had not been regularly checking the Internet firewalls logs... and in a
> bigger network would have been more difficult to track down and isolate.
> It did lead to internet connection performance issues as well as client
> and server impacts.
>
> So what is a hardened approach to protect against this in the future?
> Microsoft Forefront? User training? Multiple malware products? Many
> other suggestions...?
>
>
Hansjörg
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-19-2008, 10:48 AM
Excatly. You can NEVER recover from a compromised machine.
You acted absolutely the right way.
Furter reading: Protect your Windows Network, Jesper M. Johansson, Steve
Riley, Addison Wesly ISBN 0-321-33643-7. Pays back every spent Cent with 1$
saved damage.

Hansjörg

"Mr. Arnold" <MR. [email protected]> schrieb im Newsbeitrag
news:[email protected]..
>
> "Grant - CNW" <[email protected]> wrote in message
> news:[email protected]..
>
>>
>> I ended up formatting and re-installing both systems as they were
>> relatively new installs and I wanted a clean installation. To date I
>> have not seen this problem again.
>>
>> Any ideas as to what might have caused this behaviour?
>
> The machines were compromised, period, and you did the right thing.
>
> http://www.microsoft.com/technet/com...mt/sm0504.mspx
Grant - CNW
Guest
Posts: n/a
 
Re: Security issue with malware on Vista bypasses UAC and sends out SPAM
Posted: 01-20-2008, 04:38 PM
Interesting. Thanks for the excellent information everyone.
I guess my concern comes from "perception" versus "reality".

Companies state that new versions of products are more secure... including
latest Vista release...
where the inconvenience of UAC interface and vague information presented are
touted as "saviours" BUT are not SIMPLE and easy to use and understand... in
fact are often confusing. To the average user it is an "obstacle" to
getting the real work done... and should be handled by the operating system.
Yet if a user makes a simple mistake by opening an malware e-mail with
PREVIEW on (the crazy default in Outlook 2007, 2003, etc. which I always
turn off for customers), they are caught with their pants down and pay the
price! One would expect Windows operating system, internally, would have
security "heuristics" which look for changes/hacks or repeated operations
which are perceived as malware attacks... for example, multiple SMTP calls,
network interface activity, etc.... and based on kept list of security
changes, disallow the Administrative right granted in error. Windows
updates and patches, in fact any system changes, should be based on
confirming identity and authentication of requester, and the core OS should
be protected... perhaps in a "burned in" firmware or memory device... or
protected memory/disk areas. Should an Administrator be able to change OS
files? I don't think so... there is a need for a "super admin" concept...
which has added security features to manage and protect the OS core.

People are told and perceive Vista, IE 7, etc are more secure... but there
will always be something... now or future.
Really, it is about mitigating risk, user education, and keeping it simple,
as well as planning for disaster recovery.
Pervasive security policies and practices.

....Grant


"Hansjörg" <[email protected]> wrote in message
news:[email protected]..
> Excatly. You can NEVER recover from a compromised machine.
> You acted absolutely the right way.
> Furter reading: Protect your Windows Network, Jesper M. Johansson, Steve
> Riley, Addison Wesly ISBN 0-321-33643-7. Pays back every spent Cent with
> 1$ saved damage.
>
> Hansjörg
>
> "Mr. Arnold" <MR. [email protected]> schrieb im Newsbeitrag
> news:[email protected]..
>>
>> "Grant - CNW" <[email protected]> wrote in message
>> news:[email protected]..
>>
>>>
>>> I ended up formatting and re-installing both systems as they were
>>> relatively new installs and I wanted a clean installation. To date
>>> I have not seen this problem again.
>>>
>>> Any ideas as to what might have caused this behaviour?
>>
>> The machines were compromised, period, and you did the right thing.
>>
>> http://www.microsoft.com/technet/com...mt/sm0504.mspx
>
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall & Malware Protection keeps turning off in Win Security Ce redhawkeagle Windows Vista Security 1 11-19-2007 04:35 PM
Malware Protection issues in Security Center bazza Windows Vista Security 0 04-03-2007 02:56 PM
Malware protection no longer visible in security center Johan Windows Vista Security 1 12-16-2006 10:10 PM
IMAP spam filtering issue in Windows Mail (Vista 5472) tas Windows Vista Mail 0 08-01-2006 09:58 AM
XP bypasses security at startup cb Windows XP Security & Administration 1 08-06-2003 05:24 PM