UAC May be a Nuisance but it Serves a Purpose

Microsoft introduced the despised User Account Control (UAC) feature in Windows Vista (and gave it a major overhaul for functionality in Windows 7) for a good reason. It was supposed to give users the power to control, monitor and protect their computer in the event of an attempted unauthorized change to their computer.

I know the complaints. I expressed my own to Microsoft at Black Hat, where I asked if it would be possible to set it so an application can be set to never ask again (games, for instance, always require your permission before running). Microsoft’s response was that it would be real hard due to the changing nature of apps as they are patched and updated.

We may hate UAC, but turning if off is inviting malware infection. What’s downright disturbing is that even if you leave UAC on, it may go off without you knowing it. The latest trend has malware turning off UAC before doing its dirty work, some times with your help.

In a blog posting on the Microsoft Malware Protection Center, Joe Faulhaber, a software design engineer at Microsoft, pointed out that 23 percent of machines reporting an infection had UAC completely disabled. In some cases, the user had disabled UAC because it had been a nuisance. In other cases, the malware turned off UAC.

When UAC was introduced, malware authors did their best to go around it. Instead of running malware as an administrator, it ran the malware as a user-level app. This made it difficult for malware to elevate its access to administrator rights, which was the whole point of UAC.

To turn off UAC completely, though, requires administrator access. They got away with this either through UAC being off already, sloppy users who just clicked Yes on the UAC prompt without taking a close look at the app requesting access or by the malware using a service which has administrator privileges by default.

Any malware that pulls off the later can turn off UAC effective the next time you reboot, so there will be no UAC requests for admin privileges when the malware goes about its business.

Faulhaber noted that the Sality virus family, Alureon rootkits, rogue antivirus programs like FakePAV, Autorun worms, and the Bancos banking Trojans all have variants that turn the UAC off. This trick has become so prevalent that Microsoft’s security software, including Security Essentials, Windows Intune, and Forefront Endpoint Protection, now monitor UAC to detect any attempt to tamper with it or change settings.

So even though it’s a nuisance to click ‘Yes’ every time I fire up StarCraft 2, UAC remains active on my machine, and you should do the same.