Back to Top

Thursday, July 09, 2009

What can a malicious program do under a limited account with Windows 7?

The scope of this post is to demonstrate what a malicious program can do under Windows 7 (the newest and presumably most secure version of MS Windows) with a Guest account (the most limited one from a capability point of view). The "malware" in the video below demonstrates that a program run by the user (we can imagine tricking the user using social engineering) still can:

  • Access the user files from MyDocuments
  • Perform keylogging
  • Take screeenshots

Sorry for the typos in the text but I hope that the point came across that with minimal modifications malware can be made "compatible" with more restricted environments than what it is used by default by a large percentage of the population. While malware running in these conditions wouldn't have access to advanced capabilities (like kernel-mode rookits), it can still inflict a lot of damage in the time-window between the infection and when it is detected. This window can be even expanded by using tools like server-side polymorphism.

My conclusions would be:

  • Limited accounts are a great tool, but only because most (almost all) malware wasn't written with it in mind. Probably this will change in the future as
  • Any executable (which can take many forms) running under the current user can access anything the current user can, which is probably all the information the user cares about!

I wish to emphasize again that the environment tested is was much more restrictive than the user accounts created by default by Windows 7, and even so, the malicious code could access all the data belonging to the user.

PS. I will not release the source code used for the demonstration in any form (binary or source code), because there is already enough malicious code out there. Then again, the code used is fairly standard and there are many examples out there and a little searching can lead anyone to it.

Update: re-uploaded the video, now in better quality.

Update: I recently found a video demonstration by PrevX which shows how Vanquish, an old user-mode rootkit, works perfectly well under Windows Vista (and most probably 7) with LUA.


  1. Anonymous3:27 PM

    Good article again =)

    Limited user accounts don't really do anything except protect the system from infection. They don't protect the user profile, as your test shows. To protect the user profile, too, execution of malicious code should be stopped. Easier said than done (!) but things like software restriction policies can help there, even with their own weaknesses. Nothing helps against social engineering though, at least not on the software side. If people want to see dancing pigs, they're going to see them, security be damned. ;)

    Your article made me think of something else, too. Now that Windows is pushing for more restricted user accounts instead of the default admin accounts of Win 2k and XP, malware will have to adapt and black hats will code malware that works well with restricted rights. I wonder if that will also lead to more malware being made for other systems such as OS X or Linux, which both default to restricted user rights? I think that it might, since if the malware coders have to make limited user aware malware for Windows there's really no reason why they couldn't start making the same kind of malware for Linux and OS X, too. The differences between those systems and Windows, when not running as admin or root, aren't that large.

  2. Nice post!

    Well.. The interesting part is the registering himself as running automatically.
    It's known that a user-separation isn't that good except that malware can steal files from same session at one login. but if it's a trojan that plans on keep being in the computer the start-up ways of registration is the most difficult work for the malware writer.
    can you explain how did you register yourself as start-up executable and why did that window popped up?
    some technical details will be awesome.

  3. @Zuk: I don't recall exactly what method I've used, but there are plenty of methods a non-privileged user can register a program to start-up (for the given user, not system-wide of course). For example the startup folder.

    The confirmation dialog popped up because the file was downloaded from the internet and IE (and newer versions of FF on Windows) mark these files as "less trustworthy". Probably a "professional" malware developer would add the finishing touch by ensuring that the malware removes the marking from itself (it is stored in a NTFS ADS - Alternative Data Stream - and is relatively simple to remove, once one knows what to look for).