We always recommend not to use a Windows user with admin privileges as our default Windows user. Actually, most of the malware relies in the fact that people use high privileges users on their system so when a malware is executed it can control the entire system.

It’s very recommendable to use Windows with a regular user account, in order to avoid most of the malware actions that require admin rights (install rootkits, modify system files, registry or services,…) . However it’s really important to keep our system updated. You should install Windows updates every month because even if your default Windows user hasn’t got admin privileges, you could still have problems if you execute a malware.

Let me show you an example.

Several months ago I was analyzing a new malware. The malware code had several features (creation of files in system directories, service/driver installation, code injection, creation of new autorun registry entries) that require administrative privileges to be accomplished. If the malware is executed as a regular user, it tries to exploit the MS08-066 vulnerability to elevate its privileges. By this way, if the system hasn’t been patched with MS08-066 it gets control of the entire system and the malware is executed with administrative rights.

Look at the following code:

UPX0:29A02A67                 push    offset aAdvpack_dll ; “advpack.dll”

UPX0:29A02A6C                 call    LoadLibraryA

UPX0:29A02A72                 test    eax, eax

UPX0:29A02A74                 jz      short loc_29A02A84

UPX0:29A02A76                 push    offset aIsntadmin ; “IsNTAdmin”

UPX0:29A02A7B                 push    eax             ; hModule

UPX0:29A02A7C                 call    GetProcAddress

UPX0:29A02A82                 jmp     short loc_29A02A88

First it checks whether the user has administrative privileges. If not, it tries to exploit the MS08-066 vulnerability to elevate its privileges:

UPX0:29A02A96 ms08_066_Exploit:            ; CODE XREF: MalwareActions+5Aj

UPX0:29A02A96                 call    sub_29A013E0

UPX0:29A02A9B                 test    eax, eax

UPX0:29A02A9D                 jnz     short loc_29A02AAD

UPX0:29A02A9F                 call    sub_29A01520

UPX0:29A02AA4      &
nbsp;          test    eax, eax

UPX0:29A02AA6                 jnz     short loc_29A02AAD

[…]

UPX0:29A01471                 call    WSAStartup

UPX0:29A01476                 push    offset aHaldispatchtab ; “HalDispatchTable”

UPX0:29A0147B                 call    MyGetProcAddress ; Func_GetProcAddress

UPX0:29A01480                 push    offset aPslookupproces ; “PsLookupProcessByProcessId”

UPX0:29A01485                 mov     Handle_HalDispatchTable, eax

UPX0:29A0148A                 call    MyGetProcAddress ; Func_GetProcAddress

UPX0:29A0148F                 cmp     Handle_HalDispatchTable, 0

UPX0:29A01496                 mov     Handle_PsLookupProcessByProcessId, eax

UPX0:29A0149B                 jz      short loc_29A014BD

With this piece of code, if the system hasn’t been updated with the MS08-066 patch, the malware would be able to do whatever it want. So even if your Windows user hasn’t got admin privileges you should update your system every month. It’s really important if you don’t want to be owned.