Linked by Thom Holwerda on Wed 31st Mar 2010 14:41 UTC
Windows As geeks, we're well aware of the importance of running as a normal user instead of as root (UNIX/Linux/BSD) or administrator (Windows). However, while this should be common knowledge to anyone reading OSNews, it's often hard to illustrate just how important it is - until now, that is. A report by BeyondTrust looked at how many security bulletins issused by Microsoft are mitigated by simply... Not running as administrator.
Thread beginning with comment 416393
To read all comments associated with this story, please click here.
Auxx
Member since:
2007-04-05

Well, you see, using non-root account does NOT protect you from ANYTHING (except for root-kits). Let me explain. If some software (IE, Acrobat, whatever) has a remote-code execution vulnerability, then attacker can run his code on your system. If you are sitting under non-root then this code executed with your user rights.

Basically, this means that malware can:

* make itself starting on system start-up;
* scan your traffic for passwords;
* record key and mouse presses;
* inject any code into other processes running under the same user;
* write itself on the disk in home folder;
* use your traffic visiting pron sites;
* send spam;
* hack CAPTCHAs;
* make your PC a part of botnet;
* steal your data;
* destroy your data;
* scan LAN and send itself to others;
* use 100% CPU power slowing down everything;
* polymorph its code;
* hide from anti-viruses (a bit harder, yet still pretty much possible);
* etc.

It may not harm data of other users using your PC, but it can do ANYTHING with yours. There are two very common use cases for PCs: only one user and two-three users with some docs shared. In both scenarios malware in "user" mode is AS DESTRUCTIVE AS in root/admin.

Situation is a bit brighter currently, but this is because most of malware tries to store itself in system folders. The next step will be storing inside home folder (documents and settings\user\Application Data. Hey! There's a hidden Microsoft folder with tons of binaries! And we can infect most of them! And Windows does NOT protect them as zealously as Windows\System32!). And this step is nearing since less and less users use XP.

The same is true for UNIX world - any malware piece may write itself to autorun (.initrc/whatever), store binary in /usr/ or /home/username/ and do whatever it wants!

If you see using non-root user as a security measure, then shame on you and ololo on you. You can't be serious talking such things.

P.S. Please remember, that corruption of system files and drivers is not really important - you can always restore them or reinstall. Loosing YOUR documents - that is what hurts!

Reply Score: 1

zlynx Member since:
2005-07-20

The advantage of malware being forced into user mode is that it is detectable.

Something opening a network connection? root can see it. Something added to the startup items? root can see it. Want an audit listing of what files were modified, when and by what program? root can do that.

Now, if the malware is running as root, it can insert its code into the OS driver level where it has the power to do anything. Detecting rootkits is very difficult and is a race between the latest rootkit and the latest detector.

Reply Parent Score: 2