RE: IE Malware / Spyware Control Methods

[k levinson <levinson_k () yahoo com>]

I personally wouldn't advise it except as an
experiment.  A limited user can still do plenty to
configure IE and Windows to install and execute
software persistently.  Running as a limited user does
reportedly help prevent a lot of adware and spyware,
but it remains to be seen whether this is just because
there is no incentive for adware authors to bother to
write their code to work as limited users.  What
running IE or Windows does mainly is prevent code from
re-loading persistently at next bootup; it does not
prevent the malicious code from running.

I also am not sure whether this tool successfully
restricts IE buffer overflows to the limited user
context.  If you were interested in running as a
limited user to prevent adware, I would find it more
reliable to just log into Windows as a limited user
that isn't a power user.

I disagree somewhat with the premise of the IE limited
user tool article. Running as non-admin does not IMHO
help against viruses, especially not with the current
versions of Windows. The article points out one virus
and the things that virus cannot do if run as
non-admin. What the article does not say is that you
are still infected and infect others, whether or not
you use that script or run as non-admin. There are
plenty of files, folders, registry values and system
resources a non-admin can access. As you may know,
malware run as non-admin can still scan your hard
drive for credit card numbers, delete your data files,
install itself persistently to re-launch at bootup,
send infected emails to other users, launch a
listening remote access Trojan that allows remote
control of your computer, change IE settings, install
browser helper objects, etc. etc. 

In the days of the MS Word macro virus, some people
suggested making the Word normal.dot file read-only,
to prevent viruses from making persistent changes. We
found this was not effective at all at preventing
infections. I would predict this script would be about
as effective at preventing malware, for similar
reasons. I also suspect that this solution is probably
unsupported and untested, and so is probably not a
good solution for large business environments.

Besides, once malware [or an attacker] is run on a
computer as non-admin, the malware could invoke a
number of methods to escalate privileges to that of
administrator, if a determined attacker wished to do
so.

Just my two cents.

regards,

karl levinson


> -----Original Message-----
> From: Jeff Bryner [mailto:jbryner1 () yahoo com] 
>
> Has anyone resorted to 'run as'  or dropping rights
within a 
> process to control administrative access within IE: 




                
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250