[EP_X0FF]

@vaber
Thanks for the samples. It seems blind copy-paste, when they put most of code that even never called including not used second dll. They sligthly modified Hibiki module, so instead of cmd.exe it start malware dropped to %temp% folder. But failed to understand preparations made early in code and leave them while they are not needed. Lol, awful copy-paste without understanding.

[EP_X0FF]

Another one -> http://www.kernelmode.info/forum/viewto ... 108#p26108

[EP_X0FF]

Windows 10 build 10147, wusa is no longer support /extract command, this terminates all UAC bypass methods where wusa was used to drop files to the protected folders.

[EP_X0FF]

In addition 10147 broke ISecurityEditor->SetSecurity method. It now returns E_INVALID_ARG. It could be method parameters change or internal reworking. This mean methods related to Simda are dead. Dead for a while (if it possible to recover new definition of interface) or completely (if this change was made for security reasons).

[vaber]

infdefaultinstall.exe is used by virmakers to create key for autostart malware (they use .inf file for this). This method works under medium IL

[EP_X0FF]

infdefaultinstall.exe is used by virmakers to create key for autostart malware (they use .inf file for this). This method works under medium IL

IIRC KB2919355 for Windows 8.1 removes this exe from appinfo.dll!g_lpAutoApproveEXEList and it still present only on Windows 7 (which is subject of free upgrage).

[pixe1]

The above MS fuckup mean they do not consider autoelevating malware as something important and give no additional attention to the risky autoelevated applications they blindly making up to date. However this reaction is a bit strange. Sometimes there is a feedback - sysprep for Windows 8.1/sdbinst for Win7-10/shcore for Win10.

Well, UAC elevation requires Mandatory in an Admin group and if such is the case,[they recon] with enough patience + some SE [maybe] through exploit/windows/local/ask its invetitable :)

For them compromise of an admin accout == to a complete compromise of the box. But I gree if the feature is there it should work properly.

Now the adware-UACME-Hibiki is spread by virmakers:
7166268F5C6A02D51C80E0AB3348725B
85884D9C5A66E3B4BD953FFDEB791F04

https://mega.nz/#!LMM1VS7J!xeqRgte0CqM- ... oanUDCeBWU

[vaber]

IIRC KB2919355 for Windows 8.1 removes this exe from appinfo.dll!g_lpAutoApproveEXEList and it still present only on Windows 7 (which is subject of free upgrage).

Cool! Thanks for the information.
I watched the sample just under the windows 7.

[kmd]

In addition 10147 broke ISecurityEditor->SetSecurity method. It now returns E_INVALID_ARG. It could be method parameters change or internal reworking. This mean methods related to Simda are dead. Dead for a while (if it possible to recover new definition of interface) or completely (if this change was made for security reasons).

omg m$ read this topic! /tinfoil hat on/ i swear i always use licensed copies of windowz. what next to fix, IFileOP?

[EP_X0FF]

In addition 10147 broke ISecurityEditor->SetSecurity method. It now returns E_INVALID_ARG. It could be method parameters change or internal reworking. This mean methods related to Simda are dead. Dead for a while (if it possible to recover new definition of interface) or completely (if this change was made for security reasons).

omg m$ read this topic! /tinfoil hat on/ i swear i always use licensed copies of windowz. what next to fix, IFileOP?

Sure, I can tell you with 100% they know about it and they read it.

Reworking IFileOperation with combination of latest changes will mean the end of UAC malware autoelevations in the way we all know it. The problem here - this inferface is documented and they need it for backward compatibility AS IS. There still can be workarounds (I don't want to tell which one but I'm sure they know) on how it can be used. I think we all should wait a bit and look on further Windows builds, perhaps will be surprises :) There still will be possibility to elevate from middle IL with existing autoElevate bullshit with help of exploits, social engineering for example (w/o all complex changes I mentioned before), but it will be incomparable with current situation.