Thursday, June 09, 2016

The Administrative Rights Challenge

I don't want anyone to be insulted here . . . but I question a lot of what I've heard about crypto-viruses and other viruses going around.

So I have a challenge.

The Myth: You can get Crypto-locker or other crypto-viruses from just visiting a web site.

The Other Myth: You can get these viruses even if you are running without Administrative Privileges.

Now I admit that LOTS of people believe these things. Sometimes people even swear by it. So here's

The challenge: Prove it.

I never operate my computers with administrative privileges. Neither do my clients. We don't get viruses because these kinds of viruses have to have elevated privileges. That means, if you don't put in an administrative username and password and elevate your privileges, you can't install a program.

Including viruses.

So prove it.

Post a link here that I can click on. Post a web site I can browse to and magically infect my machine.

I'm backed up. I have images. I'm willing to rebuild.

So bring it on.

- - - - -

I've had several conversations with people that lead me to believe that they believe these myths and they operate their computers with admin rights. I know this because they say things that make it clear they don't know the line between what you need these rights for and what you don't need these rights for.

Here's the deal with security: It can be a pain in the neck. It doesn't have to be.

UAC - User Access Control - should be enabled at all times for all users. I can see an exception for the actual administrator on the server. But I also assume you're going to be careful and thoughtful.

All users - including the network administrator - should operate without administrative rights at all times. When asked to elevate your privileges, slow down and think about it. Why did this pop up and do I really need it?

Users can be given access to a text file in a secure area on the server with an administrative logon and password so they can elevate privileges when absolutely necessary.

How do you know if you have administrative rights? That's easy: Click on an installation program of any kind. You won't be able to install a program if you do not have admin rights. Period. That includes programs we call "viruses."

I highly recommend that you craft an actual policy for assigning rights within your own company and within your clients. A great place to start your education is here:  https://technet.microsoft.com/en-us/library/mt620094.aspx.

(As a general rule, the Knowledgebase, Library, and Technet Magazine sections of Technet are very good and reliable. The "Forums" are stupid and useless. They're filled with a lot of people saying, "Yeah, I have the same problem. Has anyone found an answer yet?")


Why Do People Think They Need Admin Privileges?

Again, we get back to spreading myths. Many people think you need admin rights to install printers. Not true. If you (the administrator) installed the correct drivers when a machine was set up, then any user without admin rights can set up a printer ("install" a printer). No additional code is being installed because the drivers are already there.

Some people say they need to make basic changes like setting the time zone. I'm sorry. Why do you need to change the time zone? If a client needs that for whatever reason, they can enter a service request.

Some programs won't run without Admin Rights. This is rarely true. One of the oldest myths in the I.T. business is based on false logic.
- Running as the administrator solves my problem.
- Therefore I have to run as the administrator to solve my problem.

These programs are trying to do a specific thing, such as write to a secure area. In most cases, this is going to be the registry or an administrative area of the hard drive. You can solve your problem by adjusting that user's rights without giving them the ability to install executable code.

But to do that you have to do some research and you have to test. And you have to not be lazy.

The bane of our existence is old Line of Business applications that run as administrator on the server because sloppy, lazy programmers were not willing to define exactly which rights were needed and limit their code to those specific functions. So we "solve" the problem with administrative rights.

The old friendly days of the Internet (and Windows) are gone.

You can't be lazy any more. You need to educate yourself and define safe procedures that are in your client's best interest. This might cost them a little money. But they won't have the expense from downtime because of encrypted files.

- - - - -

Summary Challenge

Alright, all you people who visit magical web sites where your computer is suddenly stricken with viruses: Prove it. Post the URL of the web site, blog, link, etc.

For those who argue that there are new, evil viruses that can install themselves without administrative privileges: Prove it. Post a link to such a virus.

And if I'm wrong - I'll report exactly what happened. Then I'll rebuild that machine and do it again to verify exactly how the bad guys were successful.


Disclaimer: I am going to browse and click on everything entered in the comments here. I am responsible for the damage done to my own machine. I am not responsible for the damage you do to your machine!

If you do not have an absolutely secure computer, do not click or browse anything posted here. If you do not master an understanding of your computer's security, do not click or browse anything posted here.

Your turn.

:-)

- - - - -

Update July 8th: Please watch the sample presentation I give to clients regarding safe computing, viruses, and why they can't have administrative rights. Like it and share it if you like it. Includes link to download the presentation so you can make this presentation to your clients.

http://blog.smallbizthoughts.com/2016/07/video-sample-client-facing-presentation.html
- kp


30 comments:

  1. Ah.. haha. Yes, your are wrong, and linking you to a virus isn't going to make either of us happier about that. Your challenge here isn't all that sexy lol.

    The key boils down to what you can run (in the user context,) unless a process restriction policy is in place, they can load programs, and what you can do to files (generally of the data sort). Naturally, users have to be able to load programs (Word) and edit documents (.docx).

    Note: Restrictions on loading applications on Windows are generally cumbersome and out of the reach of most people. It's often recommended that at least the AppData/LocalAppData folders are locked down (as a start).

    ReplyDelete
  2. Good stuff Karl, there's just a LOT of misinformed people and sadley IT PEOPLE out there. We've been doing this for YEARS, since the late 90's. It's a Microsft best practice but no one seems to teach it. Update your patches and AV, thats what the security "experts" will all tell you and that's all great but the sad truth is? You don't even need AV, if you don't have admin rights. What's the worst thing that's going to happen to you? Your profile gets corrupt? OK, so you delete it and rebuild it when you login next. Assuming you don't keep your data on the desktop too, which may be assuming a lot for people running with full rights. Sorry, this is one of my pet peeves. IT Sys admins shouldn't even be allowed to graduate without this critical knowledge. Take away the rights always, you can find a work around to get that program from 1992 to run, like direct file permissions access, trust me, you don't need admin rights. Thank You Karl!

    ReplyDelete
  3. The primary vector for CryptoLocker is via email.

    Most CryptoLocker variants don't care if they have admin rights or not - they will happily encrypt whatever they have permissions to. Non-domain rights just means you'll have shadow copies to fall back on.

    I suggest you re-read your article and check how many informal fallacies you've managed to hit :-)

    ReplyDelete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Gotta disagree Chris. You cannot install CryptoLocker if you don't have install rights. Once it's installed, yes, anyone can run it. But you have to bypass UAC and raise your privileges to install it.

    Please point out any fallacies you see.

    ReplyDelete
  6. Go read up on the Angler exploit that dropped TeslaCrypt as part of its malware payload. Trend Micro, Trustwave and Malwarebytes all blogged on the topic in March this year. This is the most recent well publicised web-based infection vector for encrypting malware.

    The encrypting malware isn't installed using any API or other system vector that will trip a UAC prompt. The malware is typically dropped into %APPDATA% - if it's dropped at all (yes, file-less in-memory malware is a thing!) - and will run with the user's current privilege level. If it wants administrative privilege levels then it will gain it through privilege escalation vulnerabilities, bypassing UAC. Failure of privilege escalation (for example, being up-to-date with patching) means that the removal of shadow copies will fail giving the user a possible avenue for recovery without paying for the decryption key.

    If you're talking about the orginal CryptoLocker, then you're absolutely correct in your assertions, but encrypting malware has moved on since 2013 and your assertions are no longer valid.

    Again, go read up on Angler and TeslaCrypt. These are just two variants that bust your myths.
    Pick your favourite anti-malware vendor to give you the expert tear-down of these two variants, as I don't think my words alone will be enough to convince you.

    ReplyDelete
  7. Oh, don't get me wrong, I'm not arguing with all your other recommendations - they're all spot on and should be implemented. It's your naïve and ignorant view that malware needs to be "installed", must need administrative privileges granted to it by the end user either by explicit administrative rights by disabling UAC or via a UAC prompt, and can only cause damage by requiring administrative privileges that I'm trying to address. This is simply one area where you've not done the necessary research to educate yourself properly.

    ReplyDelete
  8. Okay. If I've learned one thing from being in this business 25 years, it's that I may be uninformed on many levels. Please point me to one of these magical web sites. Prove it to me. Theoretical exploits are delightful for scaring people in a group. Show me.

    ReplyDelete
  9. I have to agree with the opposition here. While only an idiot would run a computer with full-time administrator privileges these days, removing administrator privileges is not a prevent-all or cure-all solution to malware in general. As for ransomware, ultimately the administrator has to be hard-nosed about who gets permissions to things in order to reduce the attack surface. The villain here is "Everyone/Full control" permissions. Just ignore your application vendor when it insists on that and give Modify permissions only to those accounts that need those permissions. Beyond that, be sure to have good backups and push whitelisting of Internet sites on the firewall, if you even want to allow Internet at all. I actually think air-gapped systems will become a necessity not too long from now.

    ReplyDelete
  10. Thanks for disagreeing without being insulting, Andrew!

    I'm certainly not advocating that Admin Rights are a cure-all but I'll bet 90% or more of the computers out there are running with local admin privileges and asking for trouble. The basics that we advocate are:

    Step One: Have a good, current anti-virus program.

    Step Two: You need a good patch management system.

    Step Three: No one in your company should have "administrative rights" on your computers.

    Step Four: You need a good firewall with an anti-virus module installed.

    Step Five: You need good habits.

    If I were to insist on a sixth, it would be web based filtering.

    ReplyDelete
    Replies
    1. All good points. But things are so bad now that we have reached the point where we have gone as far as we can go with background prevention. The threats are so severe that we have to annoy end users or even fire the clients if we don't get the support we need to block the threats as it now becomes a liability issue. More and more operations are going to have to become "call head cashier."

      Also, I never use the term "rights" as it us too emotionally charged. It's always "privileges" with me. Only the owner of a company has any inherent right to use the computers at all, much less access particular web sites or files.

      We stopped giving out administrator privileges ten years ago, but that just bought us time. We have already seen more trash than we care to see get onto workstations where the user was not an administrator. It still helps lots and often makes the difference between a reformat and just redoing the user profile, but today, more is needed.

      Delete
  11. Karl you know as well as I do that these things are massively fluid as it's one great big arms race. There's little point me posting a link to a compromised ad server as it will most likely be gone or rendered useless by the time you link to it. It's also highly dependent on whatever the flavor of the day/week/month the current leveraged exploit is. Which is why your Five Steps are excellent as they ameliorate (but don't necessarily eliminate) the chances of getting hit. The sixth is most definitely Web Content Filtering, the seventh (more like 6a) is ad blocking and the eighth is exploit mitigation either as part of your anti-malware or something like EMET or HitmanPro.

    Rather than play a game of whack-a-mole with you I'll point you to the Arstechnica article that covered the last big round of malvertising that dropped TeslaCrypt on unsuspecting systems. You can read the Trend Micro, Trustwave and Malwarebytes blog entries from there.
    http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
    Oh, and Trend Micro, Trustwave and Malwarebytes aren't talking about theoretical exploits, they're discussing their analysis of in-the wild infections as part of improving their products' detection capabilities.

    TeslaCrypt ran happily without admin privileges. It just encrypted everything it had permissions to and didn't care that it couldn't take out the shadow copies, thankfully making the recovery process quicker.

    Agreed, running with admin privileges and reading e-mail and web browsing is just asking for pwnage, but don't think for one minute you're immune to a drive-by infection just because you've turned on UAC.

    ReplyDelete
  12. Yes, lots of comments, and it's clear how wrong this article is. Thankfully no one needed to get a virus to "prove" it to you Karl. :)

    ReplyDelete
  13. Hmmmm. I don't see that anyone has proven me wrong at all.

    Where's the code? Where's the magic page?

    Theoretical discussions by AV vendors are great. And it may surprise you that I actually read that stuff after 25 years in this business. But I do.
    I rely on them to test these things and constantly improve their products.

    But my clients basically never get viruses. Ever.

    I go to conferences all the time and hear people going on and on about crypto viruses and all kinds of stuff. It's clear that they make a great deal of money cleaning up after viruses.

    I make essentially zero percent of my revenue (and spend zero percent of my time) dealing with viruses. It's not totally due to administrative privileges, but it is due to the five steps mentioned above.

    You can't solve all the AV problems in the world. If people are browsing the Internet with Windows 95, IE 3, and outdated AV, they're going to get infected. You can't do anything about that.

    If YOUR clients have new versions of Windows with secure browers, patched systems, a current AV program, a good firewall with an AV module, solid training, and no administrative rights then they won't get viruses either.

    I'm still waiting for someone to show me where I can browse and infect my machine.

    ReplyDelete
    Replies
    1. haha.. Let's keep it respectful Karl.

      I think everyone here is respectfully saying your wrong - regardless of the number of years you've been in this business (I've been doing it longer though). This is not some obscure reference to research, it's a clear explanation as to why you can find a computer infected given the basic parameters you've supplied in your article. This is as clear as it can be, whether you choose to accept it or not.

      Also, I'm happy your customers never get viruses. Perhaps you think you've figured it all out in this regard. That's really ok. Not a day goes by when we're given the gift of a learning opportunity.

      Perhaps your connotation about some sort of conspiracy to make money off cleaning viruses is a real thing too, but then maybe also the earth is flat, I'm not 100% sure because I haven't (yet) been to space to verify that first hand.

      But, to your assertion about viruses, you're wrong, wrong, wrong. In fact, if I were to verifiably control the testing conditions (how do I know you'll follow the rules), I'd love to help you get over this hump. But, as they say: "Time is money".

      Delete
  14. On the challenge of not being able to install you may be right.

    But not all cryptovirussen / cryptolockers need to be installed. They need to run.

    So there is a simple test.
    For the test I bypass email, as you could have(should have) a exe blocker.

    Put putty.exe of an USB drive or download it directly
    run in on your PC from a user account

    if putty can, a cryptolocker can. There is little programma skills needed to make an exe or maybe javascript that accesses every file it has acces to and do something with it ( rewrite, delete, encrypt)

    A real cryptolocker is more complex but in basic it's a file rewrite.



    ReplyDelete
  15. lee evans10:25 AM

    Sorry Karl but you got this one slightly wrong, for the reasons many of the commentors are trying to show you. I have seen with my own eyes crypto style viruses which have hit people who 100% do not have admin. There are probably at least thousands of malicious software which do not need admin. I agree with the principle you are advocating and we are rigorous on the enforcement of this also. I would worry about an element of complacency if you really think you have it all sewn up 100%. Someone mentioned software restriction policies and these are a very good thing to do that can make a huge difference. I am sure you have friends in an AV company or two who can give you the "evidence" you want because you seemingly don't believe all the voices on here could be right and you are wrong?!

    ReplyDelete
  16. Of course I could be wrong. And I don't use this one policy in isolation.

    But I go to conference after conference where people stand up and say that they are seeing crypto locker everywhere and there's nothing they can do about it. This is a huge thing you can do.

    And if everyone across the entire enterprise follows a few simple rules, then those rogue executables that we've been blocking since 1992 will never get to your network.

    I fully admit: If you plug in a USB drive whose source is unknown, don't scan it for viruses, and run an executable, lots of bad stuff can happen. But you have to work really hard to do this. You have to ignore lots of advice. And while my clients might theoretically do that, they don't do it in the real world.

    I don't know anyone who is rigorous about admin rights who also spends time cleaning up Crypto Locker. Invariably, when they get bit, it's because someone went out of their way to elevate their rights and execute code.

    ReplyDelete
  17. lee evans10:58 AM

    We are rigorous about admin rights and have had to clean up some crypto(*) incidents. I don't think anyone is questioning the validity of your methodologies or best or best practicies to the efficacy of those in significantly reducing your risk and exposure. The only point at issue is your assertion that you cannot get crypto without admin rights - this is just not true.

    ReplyDelete
  18. Anonymous11:27 AM

    Haven't tried these myself, but give them a go Karl and let us know how things go:

    For Cryptolocker (older) use this: https://www.grc.com/malware.htm
    For the current stuff use this:http://www.malware-traffic-analysis.net/2015/11/30/index.html (under "ZIP archive of the malware" I won't link directly, Password:"infected")

    ReplyDelete
  19. Obviously click at your own risk.

    ReplyDelete
  20. Sorry, Anon. The challenge is NOT whether I can work really hard to infect my computer. I can go to that page and download the file. Then I have to use GPEdit to disable Windows Defender and then disable every other AV product. At that point I can extract the .exe file. But running that file from my hard drive is NOT the challenge.

    The challenge is very simple: Point me to a web page where all I have to do is visit and POOF! my machine is magically infected with crypto locker or some other crypto virus.

    That's the challenge. Not that I can work for an hour to defeat my own basic defenses. But The Myth: You can get Crypto-locker or other crypto-viruses from just visiting a web site.

    If your clients tell you that they didn't click on anything, didn't run anything, didn't elevate their privileges, and just magically got a virus, I don't think they're telling the whole story.

    Even the http://arstechnica.com/ article mentioned above says that these attacks have to install something - You have to click on something and you have to give it permission. It doesn't magically run because you visited the page.

    I know people want to respond to the comments more than to what I actually wrote. My challenge is not whether I can force viruses onto my system but where I can get them by accident. Because that's what people claim all the time - They did nothing and their machine got infected.

    ReplyDelete
  21. Reading the whole discussion it seems that we don't complete understand what your challange is.
    It seems that you state 2 things:

    1) drive by download dont't excist.
    2) if they would exist they can't be installed if you don't have admin rights

    About point 1:
    if will be hard for us to link you to a site if they exist. they are at least rare and will be disappeared as soon as the are discovered.
    But the fact that we can't give a link doesn't mean they don't exist. You/we believe in a lot of things we haven't seen but others have

    About point 2
    You could be right at this. But as i commented before crypto damage ca be done by an exe file without the need to install. So if a driveby can let you automaticly download and run a file then the user is in trouble.

    But I also don't really care if drive by exist or not. People click on things. Knowingly or unknowingly even forgetting that they clicked.
    and then they get the files encrypted. I don't care if it installed or just executed.

    We have and had to deal with the result.
    Luckily all our backup procedures where good when our customers got infected. So we have been able to restore them in a few ours.

    We block a lot with spamfilters, exe and zip blockers and whatever. Still there can always one extra angle we didn't cover.


    ReplyDelete
  22. (Continued from the first comment)

    The Myth #2: You can get these viruses even if you are running without Administrative Privileges.
    --------
    There are simply too many examples here in the comments that prove you're wrong on this. And, by all rights, your challenge should have completely been invalidated by your lack of understanding of this simple mechanism. The key here (as I and others have mentioned) is in the user's context.

    What can a "Limited User" do that's malicious then? Surely since they aren't administrators, they can't hurt anything right? They need to be an administrator to encrypt files, right? Let me give you a simple test you can run to see how dangerous a "Limited User" can be in this specific context. Again, I note that you have not specified how "Limited" users are in your myth, so I'll presume that the user has domain over his/her own context - the default state of a Windows-based limited user. Do this.

    1. Setup your system with a new user and make that user limited by making sure the user is not part of any administrative group on windows. Log out and log in as that user.
    2. Make some documents (either in Word or Wordpad) and save them as you normally would in that User's %Documents% folder. This is normally what a user would do. That user has done nothing to change context and is still "Limited" and non-administrative.
    3. Download a portable, single-file encryption tool - I have one I can give you (just ask) - and there are many out there, but this is easier to illustrate with single-file encryption PE tools.
    4. Either run the tool or save it on the User's desktop (you can!), run it (you can!), and then chose one of the documents you made earlier and encrypt it (you can!).

    Doing all that, you have replicated the process of what most CryptoLocker viruses do - but you have just done it manually (for the purposes of illustration). None of this required Administrative privileges, application installations processes or any sort of elevation of privileges. All Cryptolocker would do is automate that process (while working on several methods of self-preservation beyond the scope of your challenge). Viruses are written by bad guys (they have to be at least a little dumb to be doing this right?), so many of them are poor and make mistakes on these steps - but the well-made ones are the ones that get to users.

    None of this happens to your customers? I would submit you're probably looking at the wrong thing, because your customers *have to be able to do work* - that's why they have computers.. Does it ACTUALLY happen? Yes, this is how Windows works! Is it a myth? No. Absolutely not.

    Regardless of wrong or right, it's always a good thing that people are taking the time (hopefully for others' benefit) to explain what they mean - and perhaps this is where some learning can happen.

    ReplyDelete
    Replies
    1. Note, the first half of my comment is missing here. This was posted in a previous comment. Please publish all of my post.

      Delete
    2. Kevin, I don't have any other comments awaiting moderation.

      Delete
    3. Yep, there's a half hour of my time wasted. Blogger - simply the worst blog and commenting platform since cruft was invented. Awesome. /s

      Delete
  23. I am starting to think that the real problem here is that while Karl is an outstanding business owner, he lacks the day to day technical experience that would give him the perspective that those of us on the front lines have. He probably is not dealing with this stuff himself.

    ReplyDelete
  24. With all due respect, Andrew, that's not the case. I deal with clients almost every day. I manage and deliver their support. And maybe I didn't articulate very clearly. But I promise you there is no web site you can send me to that will infect my computer without my permission. I listened to a webinar on ransomware yesterday. The key message - from someone who supports millions of endpoints - was that the two things that everyone can do to stop this threat are 1) Deny administrative rights, and 2) Educate clients to NOT CLICK.

    Once you click OK, then the payload can be delivered. And you can do as much damage as your rights allow. But even then, you have to respond to the UAC and say YES, please infect my computer. I'm not saying there's no web site with dangerous popups. I'm saying there are no web sites that I can visit with a secure machine and get automatically infected. I have to click and say OK.

    In my business, we've managed thousands of endpoints and never had a virus in more than five years. That didn't happen by accident. I don't think my clients are any smarter or more careful than the average user in the U.S.

    You certainly don't have to take my advice. But I promise you that I do know what I'm talking about. Of course it's not a simple thing and the whole package of what we do involves AV, firewall, etc.

    ReplyDelete
  25. The be honest. This discussion becoming pointless.
    You keep repeating your thing and are not responding on the real points people bring forward.

    I don't care that your clients never had any viruses. That's no proof.
    Same with asking for a website.

    You say something like: "I swim in the ocean all the time. I see all kinds of people swim in the ocean. I have never been attacks by a shark. The other people are also never been attacked. Shark attacks are a myth. Show me a place were i can swim and be attacked by a shark. You can't. Oke then i'm right"

    You don't believe in drive-by's, because you haven't seen them. So the are non existent??? No information on the internet that describes those?

    Your definitions of a virus installed is also flaky. and your don't really respond if people if the correct you and even give examples. Yes, you could say : he that not installing. No your right.

    About the webinar the same. It's sound advice as it stops 99,99% of the infections. But i guess he never said that it would stop 100%.

    Proving a myth wrong goes a little further that your proof method. 99,999 or how many nines you add is not proof of 100%. At best you proof it's rare. and i agree on that

    ReplyDelete

Feedback Welcome

Please note, however, that spam will be deleted, as will abusive posts.

Disagreements welcome!