tag:blogger.com,1999:blog-35005627.post1209252120714780874..comments2023-09-01T13:15:10.510+03:00Comments on hype-free: Limited users - myth or realityCd-MaNhttp://www.blogger.com/profile/05030326541176171725noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-35005627.post-5346371299900959032007-02-22T18:08:00.000+02:002007-02-22T18:08:00.000+02:00RE: privilege elevation exploits"And how many of t...RE: privilege elevation exploits<BR/>"And how many of those have we seen lately? "<BR/><BR/>not so many... generally they aren't necessary because most people are already running as admin, but as soon as that changes the bad guys will pay a lot more attention to finding privilege elevation exploits... i believe joanna rutkowska recently detailed something that qualifies as privilege elevation under vista...<BR/><BR/>"My point was that unless you know that every program was executed under a low rights account, you can not trust any parts of the system."<BR/><BR/>you can't trust any part of the system even if the malware was executed under a limited user account... you should never trust a suspect system, regardless of the circumstances under which you think the malware got on there...<BR/><BR/>"Your only way remains to do an offline investigation (eg. pull the drive and go over its contents one by one on a known clean computer), a procedure which is much more complicated, tedious and time consuming."<BR/><BR/>and safer... if you think you can avoid the need to do this then you're still placing too much trust in the suspect system... you're trusting that the system's attempt to set up boundaries to prevent the malware from compromising the environment used for cleanup... the only boundary i trust for this is the physical air-gap, the cleanup environment is completely physically separate from the suspect system (not even connected by a network) and nothing from the suspect system gets executed during cleanup <B>at all</B>...<BR/><BR/>people want to cut this corner but i don't believe you can...kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.comtag:blogger.com,1999:blog-35005627.post-78138134353607074542007-02-22T01:55:00.000+02:002007-02-22T01:55:00.000+02:001) privilege elevating exploits can give unremovab...1) privilege elevating exploits can give unremovable malware admin access even if you're running as a limited user... <BR/><BR/>And how many of those have we seen lately? Very few and their number will just decrease in the future. In fact I would say that we already are at a point where there is no practical way for a low rights user to elevate his privileges to a level where any serious damage could be inflicted to the system.<BR/><BR/>2 & 3) I agree, all the malware can be removed, however that wasn't my point. My point was that unless you know that every program was executed under a low rights account, you can not trust <B>any</B> parts of the system. This means that you can not do an on-line investigation which would yield any useful results, because every time some check comes back as negative (for example no ports are open) you have to ask yourself: is this really the case or is some kernel mode code modifying the results I'm seeing? Your only way remains to do an offline investigation (eg. pull the drive and go over its contents one by one on a known clean computer), a procedure which is much more complicated, tedious and time consuming. Using limited users you can retain full control over your system while using high-privileged users you can use this control very fast!Cd-MaNhttps://www.blogger.com/profile/05030326541176171725noreply@blogger.comtag:blogger.com,1999:blog-35005627.post-5045572965216981852007-02-21T20:04:00.000+02:002007-02-21T20:04:00.000+02:00on the matter of containment - 1) privilege elevat...on the matter of containment - <BR/><BR/>1) privilege elevating exploits can give unremovable malware admin access even if you're running as a limited user... <BR/><BR/>2) the notion of the unremovable malware is a myth - it's a popular myth, i'll grant you that, but a myth all the same... any non-destructive function in invertible, anything software can put on the system can be taken off the system with the right tools...<BR/><BR/>3) the same people who promulgate the unremovable malware myth have all decided that the proper way to deal with it is to throw up their hands in defeat and accept the need to wipe and re-install when they encounter any malware - and running as a limited user doesn't change that equation, it doesn't make it more or less necessary, it doesn't make it easier or harder to do... ergo, running as a limited user is of no benefit there...kurt wismerhttps://www.blogger.com/profile/03810635947269551517noreply@blogger.com