http://msinfluentials.com/blogs/jesper/archive/2009/08/31/and-finally-standard-user-malware.aspxToday I finally got wind of my first piece of true standard user malware. MS Antispyware 2008 has turned standard user. The version in question installs the binaries in c:\documents and settings\all users\application data\&lt;something&gt;, and makesenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msinfluentials.com/blogs/jesper/archive/2009/08/31/and-finally-standard-user-malware.aspx#21939Sat, 03 Oct 2009 17:48:02 GMT91db4bc3-5a69-4a9f-94bf-eedb569902ab:21939Eric Eskam<p>I too am surprised it has taken this long for something like this to appear. &nbsp;If Firefox can install in usermode, why not malware?</p> <p>BTW - a handy flowchart to help users decide if they really should click to see the dancing naked pigs:</p> <p><a rel="nofollow" target="_new" href="http://www.intac.net/a-flowchart-to-help-you-decide-when-to-click-past-the-security-warning/">www.intac.net/a-flowchart-to-help-you-decide-when-to-click-past-the-security-warning</a></p> <div style="clear:both;"></div><img src="http://msinfluentials.com/aggbug.aspx?PostID=21939" width="1" height="1">http://msinfluentials.com/blogs/jesper/archive/2009/08/31/and-finally-standard-user-malware.aspx#21914Thu, 10 Sep 2009 21:21:34 GMT91db4bc3-5a69-4a9f-94bf-eedb569902ab:21914Hilton Travis<p>G&#39;day Jesper,</p> <p>All theswe filth are doing is following Microsoft&#39;s lead with Microsoft Live Mesh and Microsoft Vine which don&#39;t install into Program Files, but into AppData\Local, therefore not requiring elevated rights.</p> <p>Now, this is a huge security vulnerability to me - allowing non-Admin users the ability to install applications. &nbsp;WTF was Microsoft thinking?</p> <p>Have you tried installing Live Mesh with &quot;Run as Administrator&quot;? &nbsp;What does the error message &quot;Live Mesh: Product does not support running under an elevated account. &nbsp;This class is not configured to support Elevated activation. &nbsp;Error: 80080017&quot;. &nbsp;Now, is that an error message, as a Security professional, that scares the pants off you, or what?</p> <div style="clear:both;"></div><img src="http://msinfluentials.com/aggbug.aspx?PostID=21914" width="1" height="1">http://msinfluentials.com/blogs/jesper/archive/2009/08/31/and-finally-standard-user-malware.aspx#21911Thu, 03 Sep 2009 20:02:56 GMT91db4bc3-5a69-4a9f-94bf-eedb569902ab:21911Simon<p>Hey Jesper</p> <p>Sorry to hear about your friend being duped into the scam. I had to fix dozens of computer with that stupid malware but luckily, every user just got frustrated instead of giving in to the demand (could also be because they were broke!). But $5,000? I believe the user themselves also have the responsibility to make sure that everything is legit before giving away that much money. </p> <div style="clear:both;"></div><img src="http://msinfluentials.com/aggbug.aspx?PostID=21911" width="1" height="1">http://msinfluentials.com/blogs/jesper/archive/2009/08/31/and-finally-standard-user-malware.aspx#21909Tue, 01 Sep 2009 11:54:34 GMT91db4bc3-5a69-4a9f-94bf-eedb569902ab:21909Larry Seltzer<p>When you think about it, how is anti-malware supposed to detect user malware such as this? If they don&#39;t have a signature for it then there&#39;s nothing in the behavior of the program that could be determined heuristically to be malicious. All the program does is put on a show.</p> <p>I&#39;m also told by anti-malware companies that these rogue anti-malware programs are particularly aggressive about their obfuscation techniques.</p> <div style="clear:both;"></div><img src="http://msinfluentials.com/aggbug.aspx?PostID=21909" width="1" height="1">