Category Archives: Privilege escalation

Locky, Cerber ransomware still expecting, targeting UAC

Today was a heavy spam day, with the bad guys installing Locky and Cerber crypto-ransomware (among other things) where they could. Ransomware like Locky and Cerber are novelties again after dropping off the mainstream news radar long enough, but they never left the stage. Today’s Locky and Cerber samples show they are still defeating the “Admin Culture” of Windows, even while they are targeting the minority of users that don’t run as full admins.

Locky and Cerber are still targeting User Account Control (UAC), but their success lies with users that are still running Windows XP or have turned off … Read more

“Oh no, not again.”

I got what I paid for: those Windows laptops were cheap, but then that’s because they were…cheap.

It isn’t just the crapware that has to be removed, some OEMs leave behind a nasty “birth defect” in the security of the Windows machine.  TL;DR: if you’re going to lockdown that laptop you bought, do that first — it’s likely going to require a clean reinstall.

Duo Labs recently published a paper on current OEM practices in other areas of system security that nicely sums up the problem: “Bring Your Own Dilemma”

I bought two Acer laptops 3-4 years ago with Windows … Read more

Microsoft patches AppCompat UAC bypass vulnerability

As an addendum to two previous posts, Microsoft recently issued an optional patch for Windows 7 Service Pack 1, Windows 8, and related Windows Server versions to address the User Account Control (UAC) bypass vulnerability that downloader and installer malware have been using for the past several months. Microsoft KB article 3045645, “Update to force a UAC prompt when a customized .sdb file is created in Windows,” was released last week as a part of a set of optional Windows updates and can be installed via Windows Update in the Control Panel or by manual download and … Read more

More Upatre privilege escalation

It looks like the Upatre downloader malware has added a new tool that takes advantage of PCs that are missing Windows Update patches from last fall (well, last Northern Hemisphere fall).  In the past few weeks, newer versions of the Upatre malware can silently elevate their payload (the closely-coupled Dyre/Dyreza banking malware) to run as full admin.  These newer versions are using a vulnerability that Microsoft patched in October; however if a PC is not patched, even non-admin users tricked into running Upatre can have the malware elevated to SYSTEM.

Upatre continues to incorporate the AppCompat UAC bypass technique … Read more