Security researcher at ExploitDevelopment.com has discovered a flaw in Microsoft Windows SAM processing that allows continued administrative access.
According to ExploitDevelopment.com, all versions of Microsoft Windows allow real-time modifications to the Security Accounts Manager (SAM) that enable an attacker to create a hidden administrative backdoor account for continued access once a system has been compromised. Once an attacker has compromised a Microsoft Windows computer system using any method, they can either leave behind a regular user or hijack a known user account (Such as ASPNET). This user account will now have all of the rights of the built-in local administrator account from local or remote connections. The user will also share the Administrator’s desktop and profile.
Further, the attacker can also make the regular user account hard to detect by creating a user with the username of “ALT-0160”, for blank space. Events in the audit log pertaining to the hidden account will be created if the system administrator has enabled auditing, but the user name fields are all blank. Once a system has been compromised, the attacker would need to ensure the Task Scheduler service is enabled only when starting the method. This method can be used to masquerade as any user account on the computer system.
Steps to exploit this vulnerability is avaliable here.