Malware Hijacks Windows Update

clickclickdrone writes "The BBC are reporting a new piece of malware is in the wild that can hijack Windows Update's functionality and bypass firewalls allowing it to install malicious code on users PCs. The new code was discovered by Frank Boldewin in an email. The attack utilizes the BITS system."

Correct link

[Random Walk]

Frank Boldewins site is http://www.reconstructer.org/ [reconstructer.org], not http://www.reconstruction.org/ [reconstruction.org].

Re:Typical Microsoft response

[Silver Sloth]

Much as I'm no M$ fanboy they do have some justification. The 'new' aspect here is how the virus downloads additional malware, not the initial attack vector.

However, given the time I spend helping my less technical friends clean up their PCs you do definitely have a point!

A little overstated

[140Mandak262Jamuna]

Yes, it makes life a little easy for the hackers, after they have compromised your system. But all users whitelist their browsers in their firewall software to make outbound connections. So in what way is it more dangerous than the virus using IE (or Firefox for that matter) to download more bad stuff into the computer? Once the machine is compromised, it can use even ftp to download stuff. Dont blame ftp or Firefox or IE. Blame the OS that allows the machine to be compromised so easily.

Overblown

[MrNonchalant]

It should be pointed out that malicious code needs to already be running on the host machine to use this.

Completely misleading

[cooldev]

BITS stands for "Background Intelligent Transfer Service" and is simply a way to download files using idle bandwith. It's fully documented in MSDN, see http://msdn2.microsoft.com/en-us/library/aa362708. aspx [microsoft.com], and among many things it's used by some browser downloading plugins (similar to DownloadThemAll) that enhance downloading of large files. It's not just used by Windows Update.

Do we need additional articles to state that a malicious program on a compromised machine could use FTP to download additional files? Or HTTP? Or BitTorrent? Or roll their own protocol?

Based on the article, it sounds like the only concern is that because BITS is a service (daemon in the Unix world), it means that firewalls or malware detection tools that attempt to block outgoing requests (which most don't; they block listening ports) may not currently detect this because it's not the malicious .EXE itself that's opening a port; it calls into BITS, which opens the port. However, the app still has to use a public API to instantiate the BITS object, so there's no reason such a program couldn't hook that as well.

Unfortunately the article summary (and headline of the BBC article!) completely misrepresents the issue and blows it way out of proportion. They are not Hijacking Windows Update. They're using a generic well-documented downloading service that also happens to be used by Windows Update simply because it enables WU to download updates without gobbling up all your bandwidth.

Re:Makes perfect sense

[zero_offset]

RTFA, the summary is incorrect. It doesn't exploit Windows Update.