2

I was wondering if the majority of the viruses and worms are created to exploit vulnerabilities of the Windows system (not a third party app), also I would like to see a report.

In Windows a normal user is always (the majority of the time) with admin rights, let's say that the user execute a virus/worm, after it's executed with admin rights, why the would virus/worm would need to exploit a vulnerability? It's already executed, just check user == admin and just infect the Windows.

The question is:

Why would a bad guy will create a virus to exploit the system?

EDIT:

Allright, I know about UAC but as I said, some users are not educated, so it's not enough to be Admin user, the idea of a virus it's to get SYSTEM rights

Now which it's the purpose of a virus? why not just be a keylogger or the bad guy it's just a troll?

All these comes because I thought that virus programs just steal sensitive about the user, like keylogging or something, why it needs to exploit a vulnerability? I see too complicated to depend of a vulnerability knowing that the vulnerabilities are eradicated with updates

tttony
  • 133
  • 5
  • can you clarify your question? The last sentence is a bit confusing. You can use the `edit` button to correct the question (that's preferred than updating the question in a comment). – Neil Smithline Jul 21 '15 at 03:39
  • I think you need to read about [UAC](https://en.wikipedia.org/wiki/User_Account_Control) as Windows' privileges aren't as simple as `user == admin`. – Neil Smithline Jul 21 '15 at 03:41
  • 3
    The bad guy aims to exploit a vulnerability, simply put, to traverse the uneducated average computer user, and get full machine access, via the SYSTEM account, either for persistence of the virus, or for antivirus evasion. – H3lp3ingth3p33ps Jul 21 '15 at 05:28

2 Answers2

2

The goal of a piece of malware is to stay on your system for as long as it can. To do this it takes a number of steps, and often just having user administrative privileges is not enough. Gaining execution is only one step. If the malware is lucky enough for the user to execute it it can not assume that it has admin rights. In which case, exploitation of a vulnerability is needed. It can check Windows permissions, but the account permissions in Windows is a complicated subject.

At the point of having user admin credentials the malware can often write files, and registry values. There are lots of persistence techniques that can be used, but writing registry keys or executing files on boot are among the easiest to detect and remove. For modern operating systems you need to go further with SYSTEM level privileges.

Just being an administrator doesn't give you total access to the system, and the next level would be to exploit a vulnerability to allow SYSTEM level access. This would give the attacker enough control to install a rootkit at a lower level. Rootkits take many forms, and in modern operating systems it is getting harder to install these types of malware within the boot process.

Exploiting vulnerabilities takes many forms. Not all vulnerabilities lead to remote code exeuction. Some of them can lead to memory address leaks which are helpful in defeating ASLR, and some just give you an escalation in privilege. Malware uses vulnerabilities for its specific purpose, and all of them linked together can create an annoying piece of software to get rid of.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
  • Big thanks for the answer!! But what about a virus that just want to steal info about the user and send it through internet? Or just a keylogger, it will need admin rights? – tttony Jul 22 '15 at 00:56
  • Key loggers require higher privileges than you think. Most times intercepting key strokes is system level privileges. Gathering information about a systen, generally that wouldn't require much more than administrative level permissions. – RoraΖ Jul 22 '15 at 01:01
1

Don't assume the user always has admin rights. That may be the case on home computers, but on corporate networks, the users may be non-privileged users.

As to why a virus needs to expoloit a specific vulnerability:

  1. Many users aren't stupid enough to download a virus onto their machine and then run it.
  2. Even if they did, then UAC would pop up an obvious warning that the program wanted to change important system settings.
Simon B
  • 884
  • 5
  • 7
  • Thanks for the answer. What can do a virus without admin rights? Can send info through internet? – tttony Jul 22 '15 at 00:58
  • If the user has access to the internet, then the virus has as well - it can do anything that the user can. – Simon B Jul 22 '15 at 07:33