The scope of this post is to demonstrate what a malicious program can do under Windows 7 (the newest and presumably most secure version of MS Windows) with a Guest account (the most limited one from a capability point of view). The “malware” in the video below demonstrates that a program run by the user (we can imagine tricking the user using social engineering) still can:
- Access the user files from MyDocuments
- Perform keylogging
- Take screeenshots
Sorry for the typos in the text but I hope that the point came across that with minimal modifications malware can be made “compatible” with more restricted environments than what it is used by default by a large percentage of the population. While malware running in these conditions wouldn’t have access to advanced capabilities (like kernel-mode rookits), it can still inflict a lot of damage in the time-window between the infection and when it is detected. This window can be even expanded by using tools like server-side polymorphism.
My conclusions would be:
- Limited accounts are a great tool, but only because most (almost all) malware wasn’t written with it in mind. Probably this will change in the future as
- Any executable (which can take many forms) running under the current user can access anything the current user can, which is probably all the information the user cares about!
I wish to emphasize again that the environment tested is was much more restrictive than the user accounts created by default by Windows 7, and even so, the malicious code could access all the data belonging to the user.
PS. I will not release the source code used for the demonstration in any form (binary or source code), because there is already enough malicious code out there. Then again, the code used is fairly standard and there are many examples out there and a little searching can lead anyone to it.
Update: re-uploaded the video, now in better quality.
Update: I recently found a video demonstration by PrevX which shows how Vanquish, an old user-mode rootkit, works perfectly well under Windows Vista (and most probably 7) with LUA.