Malware Hijacks Windows Update

clickclickdrone writes "The BBC are reporting a new piece of malware is in the wild that can hijack Windows Update's functionality and bypass firewalls allowing it to install malicious code on users PCs. The new code was discovered by Frank Boldewin in an email. The attack utilizes the BITS system."

Maybe we should call it...

[Cytlid (95255)]

...son of a BITS.

Re:but does it support Vista?

[jackharrer (972403)]

But does it run on Linux???

Typical Microsoft response

[Black Parrot (19622)]

From TFA:

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

That makes me feel so much safer.

Re:Typical Microsoft response

[Silver Sloth (770927)]

Much as I'm no M$ fanboy they do have some justification. The 'new' aspect here is how the virus downloads additional malware, not the initial attack vector.

However, given the time I spend helping my less technical friends clean up their PCs you do definitely have a point!

Re:Typical Microsoft response

[Ravnen (823845)]

I think the issue is that this can help malware to hide itself on a machine it's already infected, by using this BITS service to silently bypass policy settings. BITS itself runs with 'SYSTEM' privileges (the closest thing to 'root' there is on Windows), but I can't tell from the article if malware run by a normal user can hijack BITS, or if it has to be run by an administrator. In the first case, I'd consider it a security vulnerability, but not in the second.

Re:

[by Anonymous Coward]

Would you like to hijack BITS? Cancel or Allow?

Re:Typical Microsoft response

[SparkyFlooner (1090661)]

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Re:

[HTH NE1 (675604)]

"Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

They call it ConunDRM.

Re:Typical Microsoft response

[Vancorps (746090)]

huh? I mean seriously, huh? What century are you in?

Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.

Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.

Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.

I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.

Re:

[Tridus (79566)]

You can set up a million hoops, clueless users who want to have flashing emoticons in their email (or whatever the current scams are) will still go through them.

There is no way to program around users that blindly say yes to every prompt. There is however a way to create users who blindly say yes to every prompt, and that is throwing a million prompts at them every time they want to update their video card driver.

Re:

[gazbo (517111)]

It's even worse than you think. I've just examined some viruses in the wild, and every last one hijacks standard Windows system calls in order to read and write to the file system. Some have even found a way of hijacking the GDI to display adverts to users.

When will Microsoft patch these vulnerabilities?!

Re:

[0racle (667029)]

I bet if you replaced Microsoft with Red Hat and BITS with any local root exploit you'd be saying how much more secure Linux is.

Re:Typical Microsoft response

[MillionthMonkey (240664)]

No OS is immune to Trojans, especially when they are intentionally installed by clueless users. I saw this article summary and thought a worm was going to arrive today on Windows Update.

Not that it would matter- I always choose "Custom Install" anyway because otherwise I'll end up with Windows Genuine Advantage which I think fits the definition of a Trojan.

Re:

[J0nne (924579)]

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

Well, Microsoft's response makes a lot of sense. You could trick a user into running sudo trojan.sh on Ubuntu too. After that the user is screwed anyway, as trojan.sh could contain anything, including something that edits /etc/apt/sources.list to the attacker's repo's.

What do you want MS to do to stop this from being possible? If the user runs a random executable as root/a

Your machine has just been updated

[liledevil (1012601)]

14 new virusses have just been installed
please restart your machine to become a zombie

Re:Your machine has just been updated

[thestudio_bob (894258)]

14 new virusses have just been installed
please restart your machine to become a zombie

Accept or Deny?

This will never get old...

Not one the the better MS Patents...

[ITMagic (683618)]

Ah! One of the many Microshite's patents that didn't manage to make it into the Linux sourcecode. Perhaps Novell could implement this feature?

Correct link

[Random Walk (252043)]

Frank Boldewins site is http://www.reconstructer.org/ [reconstructer.org], not http://www.reconstruction.org/ [reconstruction.org].

Re:

[morgan_greywolf (835522)]

What's worse? A weird Christian page or one that consists only of Flash?!

The weird Christian page; unless you happen to be running Linux x64.

Makes perfect sense

[Megaweapon (25185)]

With a lot of people doing auto-updates might as well target what will be the predictable weak link. I'd bet some people have their auto-update run more often then their virus scanners anways.

Re:Makes perfect sense

[zero_offset (200586)]

RTFA, the summary is incorrect. It doesn't exploit Windows Update.

Security quiz linked from TFA

[AmIAnAi (975049)]

Linked off TFA is a quiz checking readers' knowledge of computer security issues. I just love the first answer for question 10:

What is a DDoS attack?

A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux

That's one botnet I'd happily join

Windows is safe!

[by Anonymous Coward]

Hi,
I have my own awesome blog whose url I certainly don't need to post here since I expect you all to know it already.

I just talked with my friends at Microsoft and they told me that

"Windows is safe!"

and it seems ridiculous to care about such small issues when 9/11 was only 6 years ago. You people should really step aside and look at the things from another perspective.

Maybe from above like the Lord does.

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

Bill and Melinda think of the children. Do YOU?

Re: Windows is safe!

[Black Parrot (19622)]

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

Surely it's not too much trouble to pray that your Windows box will be secure too, while you're at it.

Re:

[by Anonymous Coward]

Well, He might be omnipotent enough to create logical fallacies and Creationists, but that doesn't mean He's powerful enough to fix Windows.

A little overstated

[140Mandak262Jamuna (970587)]

Yes, it makes life a little easy for the hackers, after they have compromised your system. But all users whitelist their browsers in their firewall software to make outbound connections. So in what way is it more dangerous than the virus using IE (or Firefox for that matter) to download more bad stuff into the computer? Once the machine is compromised, it can use even ftp to download stuff. Dont blame ftp or Firefox or IE. Blame the OS that allows the machine to be compromised so easily.

Re:

[0123456 (636235)]

"But all users whitelist their browsers in their firewall software to make outbound connections."

Speak for yourself. I have Zonealarm block every IE connection unless I specifically allow it... no way will I trust that piece of crap to go talking to random web sites without permission.

Re:

[jrumney (197329)]

My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.

WGA

[by Anonymous Coward]

The good news is that it only installs the malware if you're running Genuine windows.

Manual updates at risk?

[Urban Garlic (447282)]

It sounds from the article (yes, I read it, no, I'm not new here...) like surfing to a malicious website will cause this BITS background downloader to then pull in additional firewall-bypassing malware right at that time.

If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.

Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm sur

Re:

[EvilGrin666 (457869)]

If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.

Manual downloads from Windows update use BITs. Check %SYSTEMROOT%\WindowsUpdate.log while doing an update if your curious.

Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm surfing as a low-priority user and hit this malware, can it still make BITS do the more-malware download?

BITs runs as a service under the system account. It can do whatever it wants. However it needs to be woken up to do it, as it's default service state is set as 'Manual'.

Re:

[Applekid (993327)]

There's always Windiz Update [windizupdate.com].

click here

[gEvil (beta) (945888)]

Is your Windows Update not infected yet? Click here [127.0.0.1] to infect it!

Re:

[Tribbin (565963)]

You are right!

I clicked on the link and it redirected me to http://127.0.0.1/apache2-default/ [127.0.0.1] and the page confirms that it works!

Let me be the first to say...

[SadGeekHermit (1077125)]

If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

Me, I'm relaxed and enjoying a soda.

Overblown

[MrNonchalant (767683)]

It should be pointed out that malicious code needs to already be running on the host machine to use this.

Can you safely disable BITS?

[guanxi (216397)]

I've considered disabling the BITS service before (i.e, via services.msc), especially since I usually run Windows Update manually. But I read hints that it may break other applications, including from Microsoft's documenation [microsoft.com]:

You should not set the Startup Type to Disabled. Disabling BITS may break applications, such as Windows Update, that rely on BITS to transfer files.

However, I've never found anything more specific -- does anyone know the consequences of disabling BITS?

Re:

[figleaf (672550)]

Why don't you also go ahead and disable HTTP also. Surely malware can also use HTTP.

Re:

[guanxi (216397)]

To partly answer my own question, here's a pretty good analysis of BITS:

        http://www.firewallleaktester.com/news.htm#57 [firewallleaktester.com]

Nice work! A program to infect an already ...

[figleaf (672550)]

...infected machine!! Man who knew that would be even possible?

and yet...

[dAzED1 (33635)]

and yet, people still believe this crap [slashdot.org] - that MS is only hit far more often per install because it's a more tempting target due to numbers alone, not lack of security as part of the design process.

Eh. What can ya do.

Re:and yet...

[drinkypoo (153816)]

How is this Microsoft's fault? It's a trojan. The system has already been compromised. Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit! Debian must be insecure!!@#!#!#!

Re:

[ajs318 (655362)]

Yeah, cos Apache HTTPD powers 2/3 of all web servers (and about half the rest are based on bastardised versions of the Apache codebase or its NCSA predecessor), and gets 2/3 of all web server exploits directed at it.

Oh, wait, that's bollocks. And so is your argument.

Microsoft's Makes a Buck, However

[VE3OGG (1034632)]

Dear Sirs,

Your Trojan, named 1337-5ki11z, violates 387 Microsoft patents, included patent 666-1345-876-666 ("screwing the user over"). We do not wish to actually pursue legal action, but would rather license our Windows Update APIs to you for the paltry sum of 100.00 (per infection).

Thank You

Kindly,

The MS Legal Eagles

Story is innacurate

[FooHentai (624583)]

Its not really Windows Update that's being used in this exploit, its the Background Intelligent Transfer Service which, in a nutshell, is a service that downdaloads data to your PC while minimising disruption to other network activity i.e. surfing the net, gaming, or downloading other files. Its a built-in feature of Windows XP but has only been implemented once or twice.

Windows update makes use of the BITS service. Malware can make use of the BITS service. Its not logical to then say that Malware is exploiting Windows update. Any more than an attack that utilised Java would be exploiting Azureus (A java application).

The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net. This same exploit is true of the JVM too.

A solution to the problem might be to instance such services. But by doing that it sort of renders them not services anymore.

So eh, mark my stats +1 pedantry, but to perpetuate this as a Windows Update exploit isn't accurate.

I've always been curious...

[Belial6 (794905)]

I've always been curious (not enough to do the research I guess) what kind of security the windows update does to prevent someone from using control of DNS and or routers to get windows update to install malware. Given that people often use DNS and routers that the cannot really trust, is there something that prevents a bad guy from just redirecting all traffic that is attempting to hit MS's update site to their their own server that is set up to look like it is MS's update site? Given how many people have their laptops set up to do automatic updates, I would think that it would be easy to just take a loptop to a coffee shop, and watch as other patrons 'update' from your access point.

Completely misleading

[cooldev (204270)]

BITS stands for "Background Intelligent Transfer Service" and is simply a way to download files using idle bandwith. It's fully documented in MSDN, see http://msdn2.microsoft.com/en-us/library/aa362708. aspx [microsoft.com], and among many things it's used by some browser downloading plugins (similar to DownloadThemAll) that enhance downloading of large files. It's not just used by Windows Update.

Do we need additional articles to state that a malicious program on a compromised machine could use FTP to download additional files? Or HTTP? Or BitTorrent? Or roll their own protocol?

Based on the article, it sounds like the only concern is that because BITS is a service (daemon in the Unix world), it means that firewalls or malware detection tools that attempt to block outgoing requests (which most don't; they block listening ports) may not currently detect this because it's not the malicious .EXE itself that's opening a port; it calls into BITS, which opens the port. However, the app still has to use a public API to instantiate the BITS object, so there's no reason such a program couldn't hook that as well.

Unfortunately the article summary (and headline of the BBC article!) completely misrepresents the issue and blows it way out of proportion. They are not Hijacking Windows Update. They're using a generic well-documented downloading service that also happens to be used by Windows Update simply because it enables WU to download updates without gobbling up all your bandwidth.

More Symantec Baloney

[ThinkFr33ly (902481)]

Singling out "BITS" is stupid. The exact same thing can be done with virtually any service or application that is allowed to pass through the local outgoing software firewall. As long as the software has some kind of programmatic interface, it can easily be used to bypass these firewalls.

I wrote a proof of concept application that bypassed all of the major outgoing software firewalls (BlackIce, Zonealarm, McAfee, Symantec) by utilizing the COM interfaces for Internet Explorer and funneling all my requests through it. This is almost impossible to detect. Even better, I wrote this app in freakin' VB!

The real problem is that local outgoing software firewalls simply don't work in an environment where all the users are admin. Once the machine is compromised, it's compromised. No number of software defenses are going to help. This includes, by the way, Symantec's expensive and incredibly crappy products. These products are there to make users feel secure, not actually make them secure.

Remember WordMasters from grade school? You know, the analogy test they used to give every once in a while. Here is an analogy for you:

Symantec is to computer security as the Bush Administration is to homeland security.

They do their best to scare the crap out of people in an attempt to get them to buy their software... or vote for their party. Don't trust either of them and you'll be better off.

Re:

[plover (150551)]

. . . why didn't this happen before? Did it happen before and just now somebody found out?

Well, that's exactly the problem with undisclosed vulnerabilities. You never know if someone has used them before or not. At least publishing a vulnerability will make sure that if someone was exploiting it, they'll be out of business once it's patched.

Yes, you can.

[DrYak (748999)]

if you have malware installed on your computer with administrator privileges [...] You can't trust your OS installation at all.

No, I don't agree.
No matter what, buggy drivers, compromised machine, spilled coffee, you can always count on your trustworthy old friend, mister Blue-Screen©® !