Protecting local admin password against 3rd party software

Question

I'm using a standard user account and then run whatever as administrator so that I type in administrator password...

I wonder if potentially undetected malicious software such as a trojan is able to log my administrator account password and use the logged password to gain privilege over the system? i.e. to setup a backdoor.

edit: Assuming windows 7 with UAC control to the max.

Answer 1

Yes, it is possible. There is known Windows malware that can grab the Admin password hash from memory, even if you never log in to the Admin account after infection.

Answer 2

This depends on the operating system and the method used to escalate privileges to administrator. Typically, the answer is yes — protecting a privilege escalation dialog from prying and spoofing is a technical challenge.

In order to protect an administrator password prompt from malware that has infected your account but not the administrator account, the password prompt must be sufficiently isolated from the normal user interface:

• When a password prompt dialog is displayed, unprivileged software must not be able to snoop on key presses into that dialog.
• Unprivileged software must not be able to surreptitiously switch the focus out of that dialog, either.
• Of course unprivileged software must not be able to snoop on the memory of the process that provides the password prompt, or affect its execution in any way.
• Furthermore unprivileged software must not be able to display a convincing password prompt, where the user would believe that they were entering their password into the legitimate password prompt dialog, but were in fact typing into a similar-looking dialog provided by the malware.

X11 (the GUI of Linux) does not provide strong isolation between applications' windows, which makes it impossible to provide a non-snoopable password prompt. It's a feature that in X11, you can for example define input methods and macros that work everywhere.

I think Windows is a bit more restrictive, but I don't know if the system administrator password prompt is in fact protected from keylogging. The Windows privilege escalation prompt is not protected from phishing: any program can show a grayed out screen with a password prompt in the middle.

In order to achieve a secure privilege escalation dialog, not only the user interface must provide isolated components (e.g. a window where no macros or key rebinding is possible), but it must also provide a way for the dialog to be non-spoofable, such as:

• A reliable way for the user to request the privilege escalation: a magic input sequence that cannot be redirected. In principle Windows's Ctrl+Alt+Del could do this, except that I think you can rebind the keyboard (and move the relevant keys around) without administrator privileges.
• A convincing dialog that cannot possibly come from the malware — the dialog shows secret phrase or picture that is chosen by the user and is never accessible to non-privileged programs. This tends to work poorly because the secret phrase or picture must never leak and the user must pay attention. Users tend choose the same picture of their kids that they use as wallpaper and tend to click “ok” without paying attention, which makes this technique of limited practicability.
• A hardware LED that means “the UI is in privileged mode” (and which can only be changed by privileged software) — computers don't have this. And again users have to be paying attention.

In any case, in the end, it's your data that's valuable, not your administrator password. For a typical end-user computer, not that much value in making the operating system and the user interface a lot more complex just to protect the administrator password.

Answer 3

Yes, there is. A keylogger (to give just one example) records everything you type. The admin password entry box isn't exempt from this. When the malware is impatient, it could also open a fake "run as administrator" prompt to trick you into entering your password.