Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Operating Systems Software Windows

Malware Hijacks Windows Update 209

clickclickdrone writes "The BBC are reporting a new piece of malware is in the wild that can hijack Windows Update's functionality and bypass firewalls allowing it to install malicious code on users PCs. The new code was discovered by Frank Boldewin in an email. The attack utilizes the BITS system."
This discussion has been archived. No new comments can be posted.

Malware Hijacks Windows Update

Comments Filter:
  • by Cytlid ( 95255 ) on Wednesday May 16, 2007 @09:41AM (#19145213)
    ...son of a BITS.
  • by Black Parrot ( 19622 ) on Wednesday May 16, 2007 @09:42AM (#19145227)
    From TFA:

    However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.
    That makes me feel so much safer.

    • by Silver Sloth ( 770927 ) on Wednesday May 16, 2007 @09:47AM (#19145307)
      Much as I'm no M$ fanboy they do have some justification. The 'new' aspect here is how the virus downloads additional malware, not the initial attack vector.

      However, given the time I spend helping my less technical friends clean up their PCs you do definitely have a point!
      • by Ravnen ( 823845 ) on Wednesday May 16, 2007 @10:27AM (#19145963)
        I think the issue is that this can help malware to hide itself on a machine it's already infected, by using this BITS service to silently bypass policy settings. BITS itself runs with 'SYSTEM' privileges (the closest thing to 'root' there is on Windows), but I can't tell from the article if malware run by a normal user can hijack BITS, or if it has to be run by an administrator. In the first case, I'd consider it a security vulnerability, but not in the second.
        • Re: (Score:3, Funny)

          by Anonymous Coward
          Would you like to hijack BITS? Cancel or Allow?
    • by SparkyFlooner ( 1090661 ) on Wednesday May 16, 2007 @09:52AM (#19145393)
      ..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."
      • Re: (Score:3, Funny)

        by HTH NE1 ( 675604 )

        "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."
        They call it ConunDRM.
      • ..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

        Sure, but I think it would be more cost effective if they made the OS impossible to have a Trojan in the first place.

        Here is my take... A 3rd party application should never... EVER be able to modify anything with the OS unless the user specifically jumps through hoops of fire to allow this. It should not be a cancel o
        • Re: (Score:3, Insightful)

          by Tridus ( 79566 )
          You can set up a million hoops, clueless users who want to have flashing emoticons in their email (or whatever the current scams are) will still go through them.

          There is no way to program around users that blindly say yes to every prompt. There is however a way to create users who blindly say yes to every prompt, and that is throwing a million prompts at them every time they want to update their video card driver.
          • There is no way to program around users that blindly say yes to every prompt.

            I'm not suggesting providing a prompt at all. If a program wants to modify the OS, it should not be given an option. It should not even prompt to run the password for an admin account. It simply should not be allowed.

            If a user really wants to install it, they they need to run an application much like OS X's Net Info manager which they had to specially type in a string text to enable the root account.

            (I would like to also point out
      • ..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

        That is one of the features for VISTA that got nixed during development.
    • Re: (Score:3, Insightful)

      by gazbo ( 517111 )
      It's even worse than you think. I've just examined some viruses in the wild, and every last one hijacks standard Windows system calls in order to read and write to the file system. Some have even found a way of hijacking the GDI to display adverts to users.

      When will Microsoft patch these vulnerabilities?!

    • by 0racle ( 667029 )
      I bet if you replaced Microsoft with Red Hat and BITS with any local root exploit you'd be saying how much more secure Linux is.
    • by MillionthMonkey ( 240664 ) on Wednesday May 16, 2007 @10:01AM (#19145521)
      No OS is immune to Trojans, especially when they are intentionally installed by clueless users. I saw this article summary and thought a worm was going to arrive today on Windows Update.

      Not that it would matter- I always choose "Custom Install" anyway because otherwise I'll end up with Windows Genuine Advantage which I think fits the definition of a Trojan.
      • Cheers to that, I thought the same thing. In my company I have to authorize all the updates which get pushed to all the workstations so such a thing wouldn't work here even if it were possible. WGA is the sole reason I'm always careful come update day, I always have to make sure its not selected, I wish SMS had a hide forever feature like Automatic update does.
    • Re: (Score:3, Insightful)

      by J0nne ( 924579 )

      However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

      Well, Microsoft's response makes a lot of sense. You could trick a user into running sudo trojan.sh on Ubuntu too. After that the user is screwed anyway, as trojan.sh could contain anything, including something that edits /etc/apt/sources.list to the attacker's repo's.

      What do you want MS to do to stop this from being possible? If the user runs a random executable as root/a

      • But you'd have to get them to type "sudo" or supply their user password to run it. Windows? You double click on the attachment that says "Parits Hilton Bewbiez!", and click "Ok" on the warning, and you're hosed. Which one do you think is more likely to happen?
        • by J0nne ( 924579 )
          That's not the point. Getting the original trojan installed is the difficult part. After it's installed it can do whatever it wants. Getting it installed on the system is easier on Windows than on Linux / OS X, but this article is about something that happens after the trojan was run, and that's something no OS can't protect you from.

          What do you want MS to do? disallow even the administrator from writing to system files? The only thing that could protect you against stuff like that is "trusted computing", w
    • >That makes me feel so much safer.

      It should. They are running a program with admin rights on a box, and we're supposed to be scared about what it can do to windows update? It can pretty much do anything its coded to do. Of course the slashdot blurb implies that someone has hacked wu.
  • by liledevil ( 1012601 ) on Wednesday May 16, 2007 @09:45AM (#19145273) Homepage
    14 new virusses have just been installed
    please restart your machine to become a zombie
  • by ITMagic ( 683618 ) on Wednesday May 16, 2007 @09:46AM (#19145295) Homepage
    Ah! One of the many Microshite's patents that didn't manage to make it into the Linux sourcecode. Perhaps Novell could implement this feature?
  • Correct link (Score:5, Informative)

    by Random Walk ( 252043 ) on Wednesday May 16, 2007 @09:46AM (#19145297)
    Frank Boldewins site is http://www.reconstructer.org/ [reconstructer.org], not http://www.reconstruction.org/ [reconstruction.org].
  • by Megaweapon ( 25185 ) on Wednesday May 16, 2007 @09:46AM (#19145301) Homepage
    With a lot of people doing auto-updates might as well target what will be the predictable weak link. I'd bet some people have their auto-update run more often then their virus scanners anways.
  • by AmIAnAi ( 975049 ) * on Wednesday May 16, 2007 @09:47AM (#19145311)
    Linked off TFA is a quiz checking readers' knowledge of computer security issues. I just love the first answer for question 10:

    What is a DDoS attack?

    A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux

    That's one botnet I'd happily join
    • I want a recount, first of all how come knowing which platform the first virus ever invented targeted is any useful for my security knowledge?

      Then the serious complaints:

      Q: Windows is nagging you to update the operating system. What do you do?

      Alleged correct answer: "Install the updates as soon as they become available" , wtf? What if I don't want any WGA trojan?

      Q: You need to choose a password for the account you have set up at an online shop. What do you do?

      The answer for most is "Pick one t

  • by Anonymous Coward on Wednesday May 16, 2007 @09:48AM (#19145317)
    Hi,
    I have my own awesome blog whose url I certainly don't need to post here since I expect you all to know it already.

    I just talked with my friends at Microsoft and they told me that

    "Windows is safe!"

    and it seems ridiculous to care about such small issues when 9/11 was only 6 years ago. You people should really step aside and look at the things from another perspective.

    Maybe from above like the Lord does.

    I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

    Bill and Melinda think of the children. Do YOU?
    • I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.
      Surely it's not too much trouble to pray that your Windows box will be secure too, while you're at it.
      • Re: (Score:2, Funny)

        by Anonymous Coward
        Well, He might be omnipotent enough to create logical fallacies and Creationists, but that doesn't mean He's powerful enough to fix Windows.
    • by PhxBlue ( 562201 )
      Jerry, is that you??
  • A little overstated (Score:4, Informative)

    by 140Mandak262Jamuna ( 970587 ) on Wednesday May 16, 2007 @09:54AM (#19145429) Journal
    Yes, it makes life a little easy for the hackers, after they have compromised your system. But all users whitelist their browsers in their firewall software to make outbound connections. So in what way is it more dangerous than the virus using IE (or Firefox for that matter) to download more bad stuff into the computer? Once the machine is compromised, it can use even ftp to download stuff. Dont blame ftp or Firefox or IE. Blame the OS that allows the machine to be compromised so easily.
    • by 0123456 ( 636235 )
      "But all users whitelist their browsers in their firewall software to make outbound connections."

      Speak for yourself. I have Zonealarm block every IE connection unless I specifically allow it... no way will I trust that piece of crap to go talking to random web sites without permission.
      • Well, have you whitelisted Firefox? Or do you click "allow" everytime you launch the browser? Looks like you are paranoid enough to avoid trojans. But if you do get such a malware, and if it uses Firefox to download more stuff, would you blame Firefox?
        • Presumably even if you have Firefox whitelisted and a trojan uses it to download more malware, that malware can only be run with user permissions, not "System" permissions like BITS has. Therefore the amount of damage Firefox can do on a decently designed OS is limited to the damage a non-privileged user account can do, and no more.
          • BITS doesn't do installs, it only does rate-limited transfers. Malware downloaded by BITS would still need higher-level privs to install into the system. All BITS does is avoid the "XXX program is trying to use the internet" message that windows throws up.
    • by jrumney ( 197329 )
      My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.
      • My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.

        But it is a conjecture or speculation on your part. It is possible that MSFT has given more privileges to BITS over other parts and a privelege escalation vulnerability could be found in future. But as of now, malware using windows downloader is no different from malware using firefox, Infernal Exploder or plain vanilla ftp.

  • WGA (Score:3, Funny)

    by Anonymous Coward on Wednesday May 16, 2007 @09:55AM (#19145431)
    The good news is that it only installs the malware if you're running Genuine windows.
  • It sounds from the article (yes, I read it, no, I'm not new here...) like surfing to a malicious website will cause this BITS background downloader to then pull in additional firewall-bypassing malware right at that time.

    If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.

    Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm sur
    • If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.

      Manual downloads from Windows update use BITs. Check %SYSTEMROOT%\WindowsUpdate.log while doing an update if your curious.

      Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm surfing as a low-priority user and hit this malware, can it still make BITS do the more-malware download?

      BITs runs as a service under the system account. It can do whatever it wants. However it needs to be woken up to do it, as it's default service state is set as 'Manual'.

    • There's always Windiz Update [windizupdate.com].
    • Re: (Score:2, Insightful)

      BITS is just yet another way of delivering software to your machine. It's supposed to allow you to download stuff like updates without hogging all your bandwidth. Works well on cable/dsl. Dial up or ISDN, not so much. There are other companies that use BITS for various other applications, for example Sony OE uses it when they are rolling out a big big patch in SW: Galaxies to roll parts of it out early, in theory while you are playing without impacting your game. Again, on Dial up or ISDN that doesn't work
  • click here (Score:4, Funny)

    by gEvil (beta) ( 945888 ) on Wednesday May 16, 2007 @09:55AM (#19145447)
    Is your Windows Update not infected yet? Click here [127.0.0.1] to infect it!
  • by SadGeekHermit ( 1077125 ) on Wednesday May 16, 2007 @09:56AM (#19145461)
    If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

    Me, I'm relaxed and enjoying a soda.

    • If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

      Ok, so I feel detached and amused, but I'm still left wondering why it is that Windows users always seem to have all the new neato features.

      From Symantec's Malware Update with Windows Update [symantec.com]

      It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth. It's a very nice component and if you consider

      • It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth
        Is there anything else to say besides "Uhhhh...."?
    • Snort (Score:2, Interesting)

      by anss123 ( 985305 )
      I'm sitting here on Windows chuckling over so called geeks that don't understand the issue at hand. If a computer is compromised, then the software firewall can be disabled. The BITS stream that comes out of the comp can be emulated by software on Linux and Mac OS, to the same effect as Windows.

      The "news" here is that there is software capable of doing this, not that it can't be done. True, BITS is a protocol created to work around firewalls, but it is hardly the only protocol engineered to do that.

      Oh,
      • UUUUUUUHHHHH, not so fast there, professor.

        I understand the issue at hand perfectly. Microsoft uses the BITS protocol to manage Windows Update downloads and work around firewalls. A trojan that gets ahold of your windows system can use the BITS system to implement updates and installs of malware, thus making malware maintenance as convenient as Windows Update itself.

        So, not only is your Windows box easy to hose because it's got so many critical vulnerabilities and Microsoft (not being open source) is the on
        • by Tridus ( 79566 )
          No, it can't "use WINDOWS UPDATE ITSELF." For crying out loud, RTFA.

          BITS is a service that can be told to download stuff. Windows Update uses it to download stuff. BITS can also be told to download other stuff. In this case, an already infected system uses it to download more infections, rather then say creating a HTTP connection itself.
          • Oh, pardon me ALL OVER THE PLACE (said in my best Robert Mitchum impersonation).

            BITS is a piece of Windows Update (it's the system Microsoft built to let Windows Update get past your firewall).

            Therefore...

            using BITS is like using Windows Update. Or at least part of it. And it makes life easier for spyware authors.

            Nyah, nyah! Pbbbbbbbbbt!

  • Overblown (Score:5, Informative)

    by MrNonchalant ( 767683 ) on Wednesday May 16, 2007 @10:01AM (#19145517)
    It should be pointed out that malicious code needs to already be running on the host machine to use this.
  • by guanxi ( 216397 ) on Wednesday May 16, 2007 @10:04AM (#19145571)
    I've considered disabling the BITS service before (i.e, via services.msc), especially since I usually run Windows Update manually. But I read hints that it may break other applications, including from Microsoft's documenation [microsoft.com]:

    You should not set the Startup Type to Disabled. Disabling BITS may break applications, such as Windows Update, that rely on BITS to transfer files.


    However, I've never found anything more specific -- does anyone know the consequences of disabling BITS?
    • by figleaf ( 672550 )
      Why don't you also go ahead and disable HTTP also. Surely malware can also use HTTP.
    • by guanxi ( 216397 )
      To partly answer my own question, here's a pretty good analysis of BITS:

              http://www.firewallleaktester.com/news.htm#57 [firewallleaktester.com]
    • by dknj ( 441802 )
      no let me stop this stupid flow of ideas. you can stop or disable BITS, but it won't do you any good. the malware must be installed first to take advantage of it, so unless you actually remote BITS from your system (not likely) malware can just contact the service control manager and reenable the bits service (run sc from the command prompt or read up on WMI if you want to learn more about controlling services from scripts/batch files).

      of course the malware could also just use your favorite networking sta
      • by guanxi ( 216397 )
        I'm considering disabling BITS not because of this attack -- as I said, I considered it before. BITS is an obvious vector for attacks. The benefits of disabling it are probably not large, but it's cheap and easy to implement -- the question is, what other costs are there, in terms of compatibility, etc.

        No matter how you secure your computer, there are ways around it. All you can do is make it more difficult for the attacker.
    • There's a simple wizard that helps you get rid of BITS. You can download it here [cutlersoftware.com]
  • by figleaf ( 672550 ) on Wednesday May 16, 2007 @10:04AM (#19145577) Homepage
    ...infected machine!! Man who knew that would be even possible?
  • and yet, people still believe this crap [slashdot.org] - that MS is only hit far more often per install because it's a more tempting target due to numbers alone, not lack of security as part of the design process.

    Eh. What can ya do.
    • Re:and yet... (Score:5, Insightful)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Wednesday May 16, 2007 @10:16AM (#19145735) Homepage Journal

      How is this Microsoft's fault? It's a trojan. The system has already been compromised. Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit! Debian must be insecure!!@#!#!#!

      • by dAzED1 ( 33635 )
        I challenge you to write something that will install itself as part of my average web surfing, daily computer use experience, and will then change how other layers operate.

        Unless you're saying you use your debian box logged in as root to surf and do work?
        • I challenge you to write something that will install itself as part of my average web surfing, daily computer use experience, and will then change how other layers operate.

          There have been numerous examples of local privilege escalation exploits on OpenBSD, let alone Debian.

          Could I do it? Probably not. I'm not much of a programmer. Could people who regularly write malware do it? Probably.

          Unless you're saying you use your debian box logged in as root to surf and do work?

          No. I do it with Windows of course

      • Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit!

        That's the thing the article doesn't make clear: Does this exploit require that the trojan be executed with admin privileges, or can it get the necessary privileges from a standard user account?

        If the former, then clearly this isn't MS' fault at all. Got Root? Got Pwned. If the latter, then it's a local privilege escalation bug that is MS' fault. It may still requir
    • Re: (Score:3, Insightful)

      by ajs318 ( 655362 )
      Yeah, cos Apache HTTPD powers 2/3 of all web servers (and about half the rest are based on bastardised versions of the Apache codebase or its NCSA predecessor), and gets 2/3 of all web server exploits directed at it.

      Oh, wait, that's bollocks. And so is your argument.
      • by dAzED1 ( 33635 )
        maybe you're not aware of this, so I'll let you know. apache isn't an operating system - it's a web server. In fact, it's a web server that will run on almost all the operating systems out there. Linux, Solaris, Windows, OS/X, HPUX...on and on.

        Just letting you know to be helpful.
        • by ajs318 ( 655362 )
          Apache isn't even a web server, it's a software company. Apache HTTPD is a web server (it stands for HTTP Daemon).

          Just letting you know to be helpful.

          The question left unanswered is: Is it generally easier or harder to make an exploit at the application level, as compared to the OS level? And, once we take this into account, how does the Apache HTTPD application monoculture then compare with the Windows OS monoculture?
          • by dAzED1 ( 33635 )
            I'm waiting for your point here. I state that the OSs have differences in how they view security, and that, more than number of installs, is why it is hacked. You then make some odd, unreleated statement about apache httpd, and say my claim is wrong. Now you're splitting hairs about apache, when ya know...I've been around long enough such that I still call the damn thing apache. Sorry. I call Tomcat Tomcat as well, not the Apache Tomcat partial java servelet engine, or whatever.

            So I suppose my question
  • by VE3OGG ( 1034632 ) <VE3OGG@@@rac...ca> on Wednesday May 16, 2007 @10:10AM (#19145667)
    Dear Sirs,

    Your Trojan, named 1337-5ki11z, violates 387 Microsoft patents, included patent 666-1345-876-666 ("screwing the user over"). We do not wish to actually pursue legal action, but would rather license our Windows Update APIs to you for the paltry sum of 100.00 (per infection).

    Thank You

    Kindly,

    The MS Legal Eagles
  • by FooHentai ( 624583 ) on Wednesday May 16, 2007 @10:13AM (#19145703) Homepage
    Its not really Windows Update that's being used in this exploit, its the Background Intelligent Transfer Service which, in a nutshell, is a service that downdaloads data to your PC while minimising disruption to other network activity i.e. surfing the net, gaming, or downloading other files. Its a built-in feature of Windows XP but has only been implemented once or twice.

    Windows update makes use of the BITS service. Malware can make use of the BITS service. Its not logical to then say that Malware is exploiting Windows update. Any more than an attack that utilised Java would be exploiting Azureus (A java application).

    The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net. This same exploit is true of the JVM too.

    A solution to the problem might be to instance such services. But by doing that it sort of renders them not services anymore.

    So eh, mark my stats +1 pedantry, but to perpetuate this as a Windows Update exploit isn't accurate.
    • by ajs318 ( 655362 )

      The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net.

      And this is what's wrong with Windows' security model.

      Firewalls shouldn't be caring about which programs want access to the outside world. Firewalls should be caring about which bit of the outside wor

    • ...a service that downdaloads data to your PC...

      Aw, man...now I've got Windows envy. I wish my Linux PC could downdaload data! (sorry, I couldn't resist!) :)
  • by Belial6 ( 794905 ) on Wednesday May 16, 2007 @10:28AM (#19145987)
    I've always been curious (not enough to do the research I guess) what kind of security the windows update does to prevent someone from using control of DNS and or routers to get windows update to install malware. Given that people often use DNS and routers that the cannot really trust, is there something that prevents a bad guy from just redirecting all traffic that is attempting to hit MS's update site to their their own server that is set up to look like it is MS's update site? Given how many people have their laptops set up to do automatic updates, I would think that it would be easy to just take a loptop to a coffee shop, and watch as other patrons 'update' from your access point.
    • by SEMW ( 967629 )
      Wouldn't you either need to either hack into their ISP's DNS servers and change Windowsupdate.com to redirect to your site, or else get into the target PC and change their default DNS server from their ISP to a box you've set up? The former would be nigh-on impossible, and if you've done the latter you've already compromised the PC; so why bother fiddling about with Windowsupdate?
  • I've had more than enough with malware writers. They are absolutely useless to polite society. 10 years in jail and a life-time ban against ever touching another computer on the first conviction.
  • by cooldev ( 204270 ) on Wednesday May 16, 2007 @10:41AM (#19146229)

    BITS stands for "Background Intelligent Transfer Service" and is simply a way to download files using idle bandwith. It's fully documented in MSDN, see http://msdn2.microsoft.com/en-us/library/aa362708. aspx [microsoft.com], and among many things it's used by some browser downloading plugins (similar to DownloadThemAll) that enhance downloading of large files. It's not just used by Windows Update.

    Do we need additional articles to state that a malicious program on a compromised machine could use FTP to download additional files? Or HTTP? Or BitTorrent? Or roll their own protocol?

    Based on the article, it sounds like the only concern is that because BITS is a service (daemon in the Unix world), it means that firewalls or malware detection tools that attempt to block outgoing requests (which most don't; they block listening ports) may not currently detect this because it's not the malicious .EXE itself that's opening a port; it calls into BITS, which opens the port. However, the app still has to use a public API to instantiate the BITS object, so there's no reason such a program couldn't hook that as well.

    Unfortunately the article summary (and headline of the BBC article!) completely misrepresents the issue and blows it way out of proportion. They are not Hijacking Windows Update. They're using a generic well-documented downloading service that also happens to be used by Windows Update simply because it enables WU to download updates without gobbling up all your bandwidth.

  • The problem isn't BITS. The problem is the idea that BITS is "trusted". Should you trust every FTP server your computer connects to? Every HTTP server? Of course not. Then why BITS?

    The Windows firewall model of "trust this program" is inherently incorrect, and that's the real source of this issue. I really hate to say it, but Internet Explorer gets this right - programs aren't trusted, places you can connect to are trusted.

  • MSFT will sue the spyware authors for breaching Microsoft patented technology.
  • by ThinkFr33ly ( 902481 ) on Wednesday May 16, 2007 @11:04AM (#19146637)
    Singling out "BITS" is stupid. The exact same thing can be done with virtually any service or application that is allowed to pass through the local outgoing software firewall. As long as the software has some kind of programmatic interface, it can easily be used to bypass these firewalls.

    I wrote a proof of concept application that bypassed all of the major outgoing software firewalls (BlackIce, Zonealarm, McAfee, Symantec) by utilizing the COM interfaces for Internet Explorer and funneling all my requests through it. This is almost impossible to detect. Even better, I wrote this app in freakin' VB!

    The real problem is that local outgoing software firewalls simply don't work in an environment where all the users are admin. Once the machine is compromised, it's compromised. No number of software defenses are going to help. This includes, by the way, Symantec's expensive and incredibly crappy products. These products are there to make users feel secure, not actually make them secure.

    Remember WordMasters from grade school? You know, the analogy test they used to give every once in a while. Here is an analogy for you:

    Symantec is to computer security as the Bush Administration is to homeland security.

    They do their best to scare the crap out of people in an attempt to get them to buy their software... or vote for their party. Don't trust either of them and you'll be better off.
    • I don't know why the parent has been modded flamebait; s/he makes an excellent point; especially about Symantec.

      Mcaffee do it to -- have a look at http://www.avertlabs.com/research/blog/?p=218#com m ent-32657 [avertlabs.com], an explot that gives an attacker "full access to the system". A little lower down, it is noted that the attack "requires... administrator [privileges]", but goes on to say that "a determined attacker can always find workarounds". WTF??? It's an attack the purpose of which is to malware running wi
      • It was modded as flamebait because of my Bush Administration comment, I'm sure.

        Really, it was flamebait I guess... but my other points are valid regardless of my unnecessary, but imho funny (and accurate), political analogy.

A memorandum is written not to inform the reader, but to protect the writer. -- Dean Acheson

Working...