One of the common methods for malicious software to expand within a computer is by privilege exploitation. Typically the first step for entry is the exploitation of a software vulnerable and\or social engineering. An example would be a user receiving an e-mail with an attachment that entices the user to open the file (pictures of a dead Osama Bin Laden, video of the royal wedding, etc.) with the attachment crafted to exploit an unknown or known software vulnerability. Once the vulnerability is exploited, any number of commands can be executed which is where the privilege exploitation occurs.
Privilege exploitation is where the malicious software takes advantage of the rights of the logged in user to change the configuration of the local computer. Such configuration changes could be to download and install a bot, adware, keyboard logger, data harvester, or any other payload that can be used for future malicious activity. It could also disable security software or change the operating system to facilitate malicious activity such as creating open shared folders or changing permissions. This second step is highly dependent of the privileges of the logged in user to succeed. Think of the initial vulnerability exploitation as the security breach and the privilege exploitation as the expansion.
The third step is for the malicious users to leverage the bot, the adware, the keyboard logger, data harvester, or other system change to monetize the attack. Valuable data (credit cards, logins, bank accounts), ads are sent in, or a bot is used for spamming all of which equate to real money.
Privilege management is the practice of reducing the rights of the logged in user only to those needed to perform their job function. Too often the end user has full administrator privileges exposing them to privilege exploitation. While reduced rights will not prevent a security breach, good privilege management will limit the expansion stage and disrupting any long term effects of a stage three monetization activity.
Over the coming weeks, Arellia will be discussing research on privilege exploitation around common software and why good privilege management should be a pillar in every organizations security strategy.