Diminished Capacity

One of my first major undertakings at my current job was the move to a least-privilege model for desktops. Under this ideal, computer end users have only the minimum privileges necessary to perform their jobs. Less elegantly, it might be called “taking away admin rights”. Regardless, the goal is to reduce support costs by ensuring a standard configuration with licensed software of a known version and state. Additionally, it substantially reduces the scope of threat from viruses and other flavors of malware.
Lately, I’ve seen a disturbing trend where malware seems to be designed specifically to work within this constraint. It was always possible, as non-administrators can by default still download and run code not already present on the system. However, their inability to install software has always overshadowed this. Unfortunately, it turns out that “install” is a pretty ambiguous term. At its root, it’s nothing more than the process by which software is placed on a system and made ready for use. Historically, this has involved putting various bits and pieces in protected areas of the system that only administrators could access. Thus, we tend to think of it as an act that only an administrator can perform. In reality, there’s nothing to prevent a writer of malware (or legitimate software) from designing his software in such a way that it can locate all of its components within the user’s profile or home directory and run solely from there. If it then changes the user’s settings to run itself at startup, is it not then installed? Granted, malware of this nature is more limited in what it can do. For instance, it cannot affect other users of the computer, nor can it hide by altering the operating system itself. Still, it can mimic system dialogs, steal or destroy user data, barrage the user with unwanted pop-ups, etc. With these capabilities, it would seem that the only difference between this flavor of malware and that of the past is ease of removal. That’s probably little comfort to the poor guy that gets hit with a series of “porno.org” pop-ups as his boss walks into the room.

This entry was posted on Tuesday, November 17th, 2009 at 11:25 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.