Ryan Naraine today posted an excellent blog "Defeating UAC with a two-stage malware attack" which is a definite must read for enterprise managers who are deploying Vista or planning on doing so. The blog outlines an independent researcher, Rob Pavezaís proof of concept for a two stage malware attack on Vista.
Quoting Symantec's Ron Bowes, Ryan explains the attack as follows:
" The attack the researcher outlines involves the construction of the Start menu. A userís Start menu is built from at least two locations. One is the userís Start menu folder and the other is global. These two locations are merged to create the Start menu that the user sees. If the same shortcut exists in both the userís folder and the global folder, the userís is used.
The proxy infection tool, which is run by the user, writes to the userís Start menu folder and reads from the global Start menu folder without requesting elevated permissions. The program searches the global Start menu folder for all programs that require elevation, and creates duplicates in the userís folder that point to the malicious code. This is the second stage of the attack.
When the user attempts to run a program that has been duplicated, they see a UAC prompt. Because the program already required elevated permission, the user wouldnít be alarmed. The malicious program, with elevated privileges, executes the intended program, fooling the user into thinking everything is normal. Meanwhile, the malicious program can clean up any trace that it had piggy-backed, and install itself somewhere with permanently-elevated privileges.
Read Ryan's blog for more information on the attack as well as recommended strategies for Microsoft to deal with this attack.