Nearly every day one can read horror stories about new ransomware variants in the media. The new variations encrypt not only the victim’s files. In addition, they change the computer’s configuration to make recovery with windows tools harder, thus to add weight to their ransom demand.
The PETYA ransomware overwrites the master boot record of the computer’s hard disk. The 7ev3n ransomware e.g. disables the Windows default recovery options by executing some bcdedit commands. In addition, this variant allows components to run with elevated rights without displaying a UAC (User Account Control) prompt.
With this, recovery from a ransomware attack becomes much more difficult and elaborate. But this is also a clear indicator for the lack of basic cyber hygiene.
When signed in as standard user one will just get the error message ‘Access is denied’ when a bcdedit command is run from shell program. The same is true for the PETYA ransomware that overwrites the master boot record of the computer’s hard disk.
Without administrative privileges and with UAC set to ‘Always notify me’ it is just not possible to destroy the master boot record, or to get elevated rights by using the auto-elevation capabilities of Windows. Period.
Basic cyber hygiene will not avoid the risks of ransomware, but it is a good preventive means for reducing this and lots of other risks.
Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
Disable macro scripts from office files transmitted over e-mail.
Great tips, easy to implement, even for SME and end users.
If something can overwrite the boot record of a modern Windows Operating System, this is a sign that something goes wrong. And with modern Windows Operating System I mean everything from Microsoft starting with Windows Advanced Server 3.1.
Under normal conditions administrative privileges are required to overwrite the boot sector. Thus if PETYA can overwrite the boot sector, this is an indication that the current user works with administrative privileges. Unfortunately, malware can auto-elevate if UAC is not set to the highest level ‘Always notify me’. In this case, it is not required that the user works with permanent administrative privileges. Actually, a report in German PC-Magazine PETYA confirms that PETYA uses the auto-elevation technology.
With this, defending PETYA is an easy job from a technology point of view:
Revoke permanent administrative rights from all users and
Set UAC to ‘Always Notify Me’ as default.
The latter could be implemented as a global group policy with just some clicks. Some user and helpdesk training is required in advance to ensure a smooth transition.
The hard job is to make sure that the complex application universe in a company is still working after the change. But thanks to the great progress with UAC since Windows Vista this should be possible now. The money spent for application testing is well invested because by waiving permanent administrative privileges and setting UAC to the highest level, lots of security problems are solved at a single blow.
Actually, I am preparing a post about information disclosure caused by e.g. unhandled exceptions in web applications (CWE-391). During security assessments in the past weeks I found all kind of error messages, from no error message to detailed output of the program stack and all configuration variables. A nightmare!
But when I read about the capabilities of the Vawtrak malware in Nick Lewis post “Can Vawtrak malware block enterprise security software?” I changed my mind. A malware that uses Windows Software Restriction Policies (SRP) to prevent anti-malware software from running sounds really strange, and really interesting. In his fascinating white paper “Analysis of Banking Trojan Vawtrak” Jakub Křoustek from AVG’s virus lab analyzes the program in detail.
By the way, for adding a SRP to the Windows operating system administrative privileges are required. If users work with limited privileges and if user account control set to the highest level “Always notify me” Vawtrak has a hard job to infect the computer and stop the anti-malware software.
It’s always the same old story: We get into considerable trouble because we haven’t got the basics right.
It only remains to hope that the user work without privileges. In this case the impact of the attack on the operating system will be limited, at least theoretically.
Unfortunately we are dealing here with Windows 7. The Windows 7 User Account Control (UAC) standard settings allow an attacker to bypass UAC to elevate the current user. With admin privileges the attacker can create a memory dump of all processes, in particular of lsass.exe, which holds in Windows 7 for example the users Kerberos password in plain text.
bypassuac-x86.exe is used within the meterpreter security suite to elevate the user, MimiKatz to extract the passwords from lsass.exe dump.
This UAC vulnerability in Windows 7 is well-known since a long time, and very easy to mitigate. Just set UAC to the highest level ‘Always notify me’. In this case, bypassuac could not elevate the user. Take a look into the code for more details.
Don’t ask why Microsoft hasn’t mitigated this vulnerability and why system admins do not change the default value with a group policy. Life could be so easy …
That’s it for today. Please check the UAC settings on your Windows devices as soon as possible.