Malware Hijacks Windows Update

clickclickdrone writes "The BBC are reporting a new piece of malware is in the wild that can hijack Windows Update's functionality and bypass firewalls allowing it to install malicious code on users PCs. The new code was discovered by Frank Boldewin in an email. The attack utilizes the BITS system."

Maybe we should call it...

[Cytlid]

...son of a BITS.

but does it support Vista?

[Gary W. Longsine]

Spammers and botmasters the world over want to know.

Re:but does it support Vista?

[jackharrer]

But does it run on Linux???

Typical Microsoft response

[Black Parrot]

From TFA:

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

That makes me feel so much safer.

Re:Typical Microsoft response

[Silver Sloth]

Much as I'm no M$ fanboy they do have some justification. The 'new' aspect here is how the virus downloads additional malware, not the initial attack vector.

However, given the time I spend helping my less technical friends clean up their PCs you do definitely have a point!

Re:Typical Microsoft response

[Ravnen]

I think the issue is that this can help malware to hide itself on a machine it's already infected, by using this BITS service to silently bypass policy settings. BITS itself runs with 'SYSTEM' privileges (the closest thing to 'root' there is on Windows), but I can't tell from the article if malware run by a normal user can hijack BITS, or if it has to be run by an administrator. In the first case, I'd consider it a security vulnerability, but not in the second.

Re:

[Anonymous Coward]

Would you like to hijack BITS? Cancel or Allow?

Re:Typical Microsoft response

[SparkyFlooner]

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Re:

[HTH NE1]

"Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

They call it ConunDRM.

Re:

[vertinox]

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Sure, but I think it would be more cost effective if they made the OS impossible to have a Trojan in the first place.

Here is my take... A 3rd party application should never... EVER be able to modify anything with the OS unless the user specifically jumps through hoops of fire to allow this. It should not be a cancel o

Re:

[Tridus]

You can set up a million hoops, clueless users who want to have flashing emoticons in their email (or whatever the current scams are) will still go through them.

There is no way to program around users that blindly say yes to every prompt. There is however a way to create users who blindly say yes to every prompt, and that is throwing a million prompts at them every time they want to update their video card driver.

Re:

[vertinox]

There is no way to program around users that blindly say yes to every prompt.

I'm not suggesting providing a prompt at all. If a program wants to modify the OS, it should not be given an option. It should not even prompt to run the password for an admin account. It simply should not be allowed.

If a user really wants to install it, they they need to run an application much like OS X's Net Info manager which they had to specially type in a string text to enable the root account.

(I would like to also point out

Re:

[ArhcAngel]

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

That is one of the features for VISTA that got nixed during development.

Re:Typical Microsoft response

[Vancorps]

huh? I mean seriously, huh? What century are you in?

Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.

Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.

Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.

I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.

Re:

[vertinox]

Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence.

But it isn't like this out of the box! There are millions of people who do not have the knowledge for the home computers and I dare say there are plenty of Network Admins who are clueless too.

Hence, this is why OS is designed improperly. It should be secure as soon as you install it... Not after tweaking it and locking it down.

This is why we have millions of zombies s

Re:

[ajs318]

Beh. At least it won't be spewing out adverts for fake pills and poorly-performing shares.

Re:

[ajs318]

Sorry, you failed it when you said "group policy". Who the hell actually uses that? It's used less often than a pay toilet in a forest, or a Slashdot user's rubber johnny.

Re:

[plover]

Who said they changed any system files? This particular exploit is simply piggybacking on the authority of an OS service, but it sure didn't have to change anything to make it work.

There are provisions in Windows for injecting a DLL into a currently running process (SetWindowsHookEx). The malware author could simply set the hook, which would inject code into this other process. He could then use the hook as a proxy to do his data communication without tripping the Windows Firewall. BITS is a good choi

Re:

[Ucklak]

I think you mean Tangents (http://imdb.com/title/tt0145529/)

Re:

[gazbo]

It's even worse than you think. I've just examined some viruses in the wild, and every last one hijacks standard Windows system calls in order to read and write to the file system. Some have even found a way of hijacking the GDI to display adverts to users.

When will Microsoft patch these vulnerabilities?!

Re:

[0racle]

I bet if you replaced Microsoft with Red Hat and BITS with any local root exploit you'd be saying how much more secure Linux is.

Re:Typical Microsoft response

[MillionthMonkey]

No OS is immune to Trojans, especially when they are intentionally installed by clueless users. I saw this article summary and thought a worm was going to arrive today on Windows Update.

Not that it would matter- I always choose "Custom Install" anyway because otherwise I'll end up with Windows Genuine Advantage which I think fits the definition of a Trojan.

Re:

[Vancorps]

Cheers to that, I thought the same thing. In my company I have to authorize all the updates which get pushed to all the workstations so such a thing wouldn't work here even if it were possible. WGA is the sole reason I'm always careful come update day, I always have to make sure its not selected, I wish SMS had a hide forever feature like Automatic update does.

Re:

[zooblethorpe]

I'm just thankful that MS named it [WGA] properly and doesn't get really shady.

Just wait. I'm fully expecting some asshat there to decide that WGA should now be regarded (and renamed) as one of the many "critical system updates" that MS sends out, and blammo -- everyone's got it. New, Improved! It's Microsoft Clap(TM)!

Re:

[J0nne]

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

Well, Microsoft's response makes a lot of sense. You could trick a user into running sudo trojan.sh on Ubuntu too. After that the user is screwed anyway, as trojan.sh could contain anything, including something that edits /etc/apt/sources.list to the attacker's repo's.

What do you want MS to do to stop this from being possible? If the user runs a random executable as root/a

Re:

[PitaBred]

But you'd have to get them to type "sudo" or supply their user password to run it. Windows? You double click on the attachment that says "Parits Hilton Bewbiez!", and click "Ok" on the warning, and you're hosed. Which one do you think is more likely to happen?

Re:

[J0nne]

That's not the point. Getting the original trojan installed is the difficult part. After it's installed it can do whatever it wants. Getting it installed on the system is easier on Windows than on Linux / OS X, but this article is about something that happens after the trojan was run, and that's something no OS can't protect you from.

What do you want MS to do? disallow even the administrator from writing to system files? The only thing that could protect you against stuff like that is "trusted computing", w

Re:

[gad_zuki!]

>That makes me feel so much safer.

It should. They are running a program with admin rights on a box, and we're supposed to be scared about what it can do to windows update? It can pretty much do anything its coded to do. Of course the slashdot blurb implies that someone has hacked wu.

Your machine has just been updated

[liledevil]

14 new virusses have just been installed
please restart your machine to become a zombie

Re:Your machine has just been updated

[thestudio_bob]

14 new virusses have just been installed
please restart your machine to become a zombie

Accept or Deny?

This will never get old...

Not one the the better MS Patents...

[ITMagic]

Ah! One of the many Microshite's patents that didn't manage to make it into the Linux sourcecode. Perhaps Novell could implement this feature?

Correct link

[Random Walk]

Frank Boldewins site is http://www.reconstructer.org/ [reconstructer.org], not http://www.reconstruction.org/ [reconstruction.org].

Re:

[morgan_greywolf]

What's worse? A weird Christian page or one that consists only of Flash?!

The weird Christian page; unless you happen to be running Linux x64.

Re:

[PitaBred]

Install the 32bit Windows libraries, then the 64bit version of nswrapper, and wrap Flash with it. Flash on under 64bit, embedded directly in a 64bit browser, with no warnings or annoyances.

Makes perfect sense

[Megaweapon]

With a lot of people doing auto-updates might as well target what will be the predictable weak link. I'd bet some people have their auto-update run more often then their virus scanners anways.

Re:Makes perfect sense

[zero_offset]

RTFA, the summary is incorrect. It doesn't exploit Windows Update.

Security quiz linked from TFA

[AmIAnAi]

Linked off TFA is a quiz checking readers' knowledge of computer security issues. I just love the first answer for question 10:

What is a DDoS attack?

A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux

That's one botnet I'd happily join

Re:

[Vexorian]

I want a recount, first of all how come knowing which platform the first virus ever invented targeted is any useful for my security knowledge?

Then the serious complaints:

Q: Windows is nagging you to update the operating system. What do you do?

Alleged correct answer: "Install the updates as soon as they become available" , wtf? What if I don't want any WGA trojan?

Q: You need to choose a password for the account you have set up at an online shop. What do you do?

The answer for most is "Pick one t

Windows is safe!

[Anonymous Coward]

Hi,
I have my own awesome blog whose url I certainly don't need to post here since I expect you all to know it already.

I just talked with my friends at Microsoft and they told me that

"Windows is safe!"

and it seems ridiculous to care about such small issues when 9/11 was only 6 years ago. You people should really step aside and look at the things from another perspective.

Maybe from above like the Lord does.

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

Bill and Melinda think of the children. Do YOU?

Re: Windows is safe!

[Black Parrot]

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

Surely it's not too much trouble to pray that your Windows box will be secure too, while you're at it.

Re:

[Anonymous Coward]

Well, He might be omnipotent enough to create logical fallacies and Creationists, but that doesn't mean He's powerful enough to fix Windows.

Re:

[PhxBlue]

Jerry, is that you??

A little overstated

[140Mandak262Jamuna]

Yes, it makes life a little easy for the hackers, after they have compromised your system. But all users whitelist their browsers in their firewall software to make outbound connections. So in what way is it more dangerous than the virus using IE (or Firefox for that matter) to download more bad stuff into the computer? Once the machine is compromised, it can use even ftp to download stuff. Dont blame ftp or Firefox or IE. Blame the OS that allows the machine to be compromised so easily.

Re:

[0123456]

"But all users whitelist their browsers in their firewall software to make outbound connections."

Speak for yourself. I have Zonealarm block every IE connection unless I specifically allow it... no way will I trust that piece of crap to go talking to random web sites without permission.

Re:

[140Mandak262Jamuna]

Well, have you whitelisted Firefox? Or do you click "allow" everytime you launch the browser? Looks like you are paranoid enough to avoid trojans. But if you do get such a malware, and if it uses Firefox to download more stuff, would you blame Firefox?

Re:

[mhall119]

Presumably even if you have Firefox whitelisted and a trojan uses it to download more malware, that malware can only be run with user permissions, not "System" permissions like BITS has. Therefore the amount of damage Firefox can do on a decently designed OS is limited to the damage a non-privileged user account can do, and no more.

Re:

[CerebusUS]

BITS doesn't do installs, it only does rate-limited transfers. Malware downloaded by BITS would still need higher-level privs to install into the system. All BITS does is avoid the "XXX program is trying to use the internet" message that windows throws up.

Re:

[jrumney]

My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.

Re:

[140Mandak262Jamuna]

My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.

But it is a conjecture or speculation on your part. It is possible that MSFT has given more privileges to BITS over other parts and a privelege escalation vulnerability could be found in future. But as of now, malware using windows downloader is no different from malware using firefox, Infernal Exploder or plain vanilla ftp.

WGA

[Anonymous Coward]

The good news is that it only installs the malware if you're running Genuine windows.

Manual updates at risk?

[Urban Garlic]

It sounds from the article (yes, I read it, no, I'm not new here...) like surfing to a malicious website will cause this BITS background downloader to then pull in additional firewall-bypassing malware right at that time.

If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.

Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm sur

Re:

[EvilGrin666]

If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.

Manual downloads from Windows update use BITs. Check %SYSTEMROOT%\WindowsUpdate.log while doing an update if your curious.

Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm surfing as a low-priority user and hit this malware, can it still make BITS do the more-malware download?

BITs runs as a service under the system account. It can do whatever it wants. However it needs to be woken up to do it, as it's default service state is set as 'Manual'.

Re:

[Applekid]

There's always Windiz Update [windizupdate.com].

Re:

[Copperhamster]

BITS is just yet another way of delivering software to your machine. It's supposed to allow you to download stuff like updates without hogging all your bandwidth. Works well on cable/dsl. Dial up or ISDN, not so much. There are other companies that use BITS for various other applications, for example Sony OE uses it when they are rolling out a big big patch in SW: Galaxies to roll parts of it out early, in theory while you are playing without impacting your game. Again, on Dial up or ISDN that doesn't work

click here

[gEvil (beta)]

Is your Windows Update not infected yet? Click here [127.0.0.1] to infect it!

Re:

[Tribbin]

You are right!

I clicked on the link and it redirected me to http://127.0.0.1/apache2-default/ [127.0.0.1] and the page confirms that it works!

Let me be the first to say...

[SadGeekHermit]

If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

Me, I'm relaxed and enjoying a soda.

Re:

[value_added]

If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

Ok, so I feel detached and amused, but I'm still left wondering why it is that Windows users always seem to have all the new neato features.

From Symantec's Malware Update with Windows Update [symantec.com]

It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth. It's a very nice component and if you consider

Re:

[Dragonslicer]

It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth

Is there anything else to say besides "Uhhhh...."?

Snort

[anss123]

I'm sitting here on Windows chuckling over so called geeks that don't understand the issue at hand. If a computer is compromised, then the software firewall can be disabled. The BITS stream that comes out of the comp can be emulated by software on Linux and Mac OS, to the same effect as Windows.

The "news" here is that there is software capable of doing this, not that it can't be done. True, BITS is a protocol created to work around firewalls, but it is hardly the only protocol engineered to do that.

Oh,

Re:

[SadGeekHermit]

UUUUUUUHHHHH, not so fast there, professor.

I understand the issue at hand perfectly. Microsoft uses the BITS protocol to manage Windows Update downloads and work around firewalls. A trojan that gets ahold of your windows system can use the BITS system to implement updates and installs of malware, thus making malware maintenance as convenient as Windows Update itself.

So, not only is your Windows box easy to hose because it's got so many critical vulnerabilities and Microsoft (not being open source) is the on

Re:

[Tridus]

No, it can't "use WINDOWS UPDATE ITSELF." For crying out loud, RTFA.

BITS is a service that can be told to download stuff. Windows Update uses it to download stuff. BITS can also be told to download other stuff. In this case, an already infected system uses it to download more infections, rather then say creating a HTTP connection itself.

Re:

[SadGeekHermit]

Oh, pardon me ALL OVER THE PLACE (said in my best Robert Mitchum impersonation).

BITS is a piece of Windows Update (it's the system Microsoft built to let Windows Update get past your firewall).

Therefore...

using BITS is like using Windows Update. Or at least part of it. And it makes life easier for spyware authors.

Nyah, nyah! Pbbbbbbbbbt!

It should be possible to delete your own posts

[anss123]

It should be possible to delete your own posts, or at least moderate them down. I apologize for losing my cool.

I just wanted to say it amuses me when people get emotional over operation systems. This is true for both Windows and non-windows users alike; I recall several Winlots being on cloud 9 when that Mac scripting error deleted a bunch of files.

I'm probably also guilty of being amused by others misery at one time or another.

Re:

[SadGeekHermit]

I don't get emotional over operating systems. Except for one specific situation. It's a funny story, so what the hell, I'll tell it to you.

My mother used to use a Compaq with Windows installed. Despite her running Norton Internet Security, it would periodically get utterly FUBAR by viruses, trojans, crapware... I found myself reinstalling the whole damn box a few times a month. I couldn't go NEAR their house without having to spend a few hours fixing their computer.

Finally I got fed up and heckled her into

Overblown

[MrNonchalant]

It should be pointed out that malicious code needs to already be running on the host machine to use this.

Can you safely disable BITS?

[guanxi]

I've considered disabling the BITS service before (i.e, via services.msc), especially since I usually run Windows Update manually. But I read hints that it may break other applications, including from Microsoft's documenation [microsoft.com]:

You should not set the Startup Type to Disabled. Disabling BITS may break applications, such as Windows Update, that rely on BITS to transfer files.

However, I've never found anything more specific -- does anyone know the consequences of disabling BITS?

Re:

[figleaf]

Why don't you also go ahead and disable HTTP also. Surely malware can also use HTTP.

Re:

[guanxi]

To partly answer my own question, here's a pretty good analysis of BITS:

        http://www.firewallleaktester.com/news.htm#57 [firewallleaktester.com]

Re:

[dknj]

no let me stop this stupid flow of ideas. you can stop or disable BITS, but it won't do you any good. the malware must be installed first to take advantage of it, so unless you actually remote BITS from your system (not likely) malware can just contact the service control manager and reenable the bits service (run sc from the command prompt or read up on WMI if you want to learn more about controlling services from scripts/batch files).

of course the malware could also just use your favorite networking sta

Re:

[guanxi]

I'm considering disabling BITS not because of this attack -- as I said, I considered it before. BITS is an obvious vector for attacks. The benefits of disabling it are probably not large, but it's cheap and easy to implement -- the question is, what other costs are there, in terms of compatibility, etc.

No matter how you secure your computer, there are ways around it. All you can do is make it more difficult for the attacker.

Re:

[jaavaaguru]

There's a simple wizard that helps you get rid of BITS. You can download it here [cutlersoftware.com]

Nice work! A program to infect an already ...

[figleaf]

...infected machine!! Man who knew that would be even possible?

and yet...

[dAzED1]

and yet, people still believe this crap [slashdot.org] - that MS is only hit far more often per install because it's a more tempting target due to numbers alone, not lack of security as part of the design process.

Eh. What can ya do.

Re:and yet...

[drinkypoo]

How is this Microsoft's fault? It's a trojan. The system has already been compromised. Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit! Debian must be insecure!!@#!#!#!

Re:

[dAzED1]

I challenge you to write something that will install itself as part of my average web surfing, daily computer use experience, and will then change how other layers operate.

Unless you're saying you use your debian box logged in as root to surf and do work?

Re:

[drinkypoo]

I challenge you to write something that will install itself as part of my average web surfing, daily computer use experience, and will then change how other layers operate.

There have been numerous examples of local privilege escalation exploits on OpenBSD, let alone Debian.

Could I do it? Probably not. I'm not much of a programmer. Could people who regularly write malware do it? Probably.

Unless you're saying you use your debian box logged in as root to surf and do work?

No. I do it with Windows of course

Re:

[Chris Burke]

Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit!

That's the thing the article doesn't make clear: Does this exploit require that the trojan be executed with admin privileges, or can it get the necessary privileges from a standard user account?

If the former, then clearly this isn't MS' fault at all. Got Root? Got Pwned. If the latter, then it's a local privilege escalation bug that is MS' fault. It may still requir

Re:

[ajs318]

Yeah, cos Apache HTTPD powers 2/3 of all web servers (and about half the rest are based on bastardised versions of the Apache codebase or its NCSA predecessor), and gets 2/3 of all web server exploits directed at it.

Oh, wait, that's bollocks. And so is your argument.

Re:

[dAzED1]

maybe you're not aware of this, so I'll let you know. apache isn't an operating system - it's a web server. In fact, it's a web server that will run on almost all the operating systems out there. Linux, Solaris, Windows, OS/X, HPUX...on and on.

Just letting you know to be helpful.

Re:

[ajs318]

Apache isn't even a web server, it's a software company. Apache HTTPD is a web server (it stands for HTTP Daemon).

Just letting you know to be helpful.

The question left unanswered is: Is it generally easier or harder to make an exploit at the application level, as compared to the OS level? And, once we take this into account, how does the Apache HTTPD application monoculture then compare with the Windows OS monoculture?

Re:

[dAzED1]

I'm waiting for your point here. I state that the OSs have differences in how they view security, and that, more than number of installs, is why it is hacked. You then make some odd, unreleated statement about apache httpd, and say my claim is wrong. Now you're splitting hairs about apache, when ya know...I've been around long enough such that I still call the damn thing apache. Sorry. I call Tomcat Tomcat as well, not the Apache Tomcat partial java servelet engine, or whatever.

So I suppose my question

Microsoft's Makes a Buck, However

[VE3OGG]

Dear Sirs,

Your Trojan, named 1337-5ki11z, violates 387 Microsoft patents, included patent 666-1345-876-666 ("screwing the user over"). We do not wish to actually pursue legal action, but would rather license our Windows Update APIs to you for the paltry sum of 100.00 (per infection).

Thank You

Kindly,

The MS Legal Eagles

Story is innacurate

[FooHentai]

Its not really Windows Update that's being used in this exploit, its the Background Intelligent Transfer Service which, in a nutshell, is a service that downdaloads data to your PC while minimising disruption to other network activity i.e. surfing the net, gaming, or downloading other files. Its a built-in feature of Windows XP but has only been implemented once or twice.

Windows update makes use of the BITS service. Malware can make use of the BITS service. Its not logical to then say that Malware is exploiting Windows update. Any more than an attack that utilised Java would be exploiting Azureus (A java application).

The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net. This same exploit is true of the JVM too.

A solution to the problem might be to instance such services. But by doing that it sort of renders them not services anymore.

So eh, mark my stats +1 pedantry, but to perpetuate this as a Windows Update exploit isn't accurate.

Re:

[ajs318]

The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net.

And this is what's wrong with Windows' security model.

Firewalls shouldn't be caring about which programs want access to the outside world. Firewalls should be caring about which bit of the outside wor

Re:

[element-o.p.]

...a service that downdaloads data to your PC...

Aw, man...now I've got Windows envy. I wish my Linux PC could downdaload data! (sorry, I couldn't resist!) :)

I've always been curious...

[Belial6]

I've always been curious (not enough to do the research I guess) what kind of security the windows update does to prevent someone from using control of DNS and or routers to get windows update to install malware. Given that people often use DNS and routers that the cannot really trust, is there something that prevents a bad guy from just redirecting all traffic that is attempting to hit MS's update site to their their own server that is set up to look like it is MS's update site? Given how many people have their laptops set up to do automatic updates, I would think that it would be easy to just take a loptop to a coffee shop, and watch as other patrons 'update' from your access point.

Re:

[SEMW]

Wouldn't you either need to either hack into their ISP's DNS servers and change Windowsupdate.com to redirect to your site, or else get into the target PC and change their default DNS server from their ISP to a box you've set up? The former would be nigh-on impossible, and if you've done the latter you've already compromised the PC; so why bother fiddling about with Windowsupdate?

Had Enough

[Nom du Keyboard]

I've had more than enough with malware writers. They are absolutely useless to polite society. 10 years in jail and a life-time ban against ever touching another computer on the first conviction.

Completely misleading

[cooldev]

BITS stands for "Background Intelligent Transfer Service" and is simply a way to download files using idle bandwith. It's fully documented in MSDN, see http://msdn2.microsoft.com/en-us/library/aa362708. aspx [microsoft.com], and among many things it's used by some browser downloading plugins (similar to DownloadThemAll) that enhance downloading of large files. It's not just used by Windows Update.

Do we need additional articles to state that a malicious program on a compromised machine could use FTP to download additional files? Or HTTP? Or BitTorrent? Or roll their own protocol?

Based on the article, it sounds like the only concern is that because BITS is a service (daemon in the Unix world), it means that firewalls or malware detection tools that attempt to block outgoing requests (which most don't; they block listening ports) may not currently detect this because it's not the malicious .EXE itself that's opening a port; it calls into BITS, which opens the port. However, the app still has to use a public API to instantiate the BITS object, so there's no reason such a program couldn't hook that as well.

Unfortunately the article summary (and headline of the BBC article!) completely misrepresents the issue and blows it way out of proportion. They are not Hijacking Windows Update. They're using a generic well-documented downloading service that also happens to be used by Windows Update simply because it enables WU to download updates without gobbling up all your bandwidth.

Windows Firewall model suxors

[JohnQPublic]

The problem isn't BITS. The problem is the idea that BITS is "trusted". Should you trust every FTP server your computer connects to? Every HTTP server? Of course not. Then why BITS?

The Windows firewall model of "trust this program" is inherently incorrect, and that's the real source of this issue. I really hate to say it, but Internet Explorer gets this right - programs aren't trusted, places you can connect to are trusted.

Re:

[account_deleted]

Comment removed based on user account deletion

No worries

[Ilgaz]

MSFT will sue the spyware authors for breaching Microsoft patented technology.

More Symantec Baloney

[ThinkFr33ly]

Singling out "BITS" is stupid. The exact same thing can be done with virtually any service or application that is allowed to pass through the local outgoing software firewall. As long as the software has some kind of programmatic interface, it can easily be used to bypass these firewalls.

I wrote a proof of concept application that bypassed all of the major outgoing software firewalls (BlackIce, Zonealarm, McAfee, Symantec) by utilizing the COM interfaces for Internet Explorer and funneling all my requests through it. This is almost impossible to detect. Even better, I wrote this app in freakin' VB!

The real problem is that local outgoing software firewalls simply don't work in an environment where all the users are admin. Once the machine is compromised, it's compromised. No number of software defenses are going to help. This includes, by the way, Symantec's expensive and incredibly crappy products. These products are there to make users feel secure, not actually make them secure.

Remember WordMasters from grade school? You know, the analogy test they used to give every once in a while. Here is an analogy for you:

Symantec is to computer security as the Bush Administration is to homeland security.

They do their best to scare the crap out of people in an attempt to get them to buy their software... or vote for their party. Don't trust either of them and you'll be better off.

"Flamebait"?

[SEMW]

I don't know why the parent has been modded flamebait; s/he makes an excellent point; especially about Symantec.

Mcaffee do it to -- have a look at http://www.avertlabs.com/research/blog/?p=218#com m ent-32657 [avertlabs.com], an explot that gives an attacker "full access to the system". A little lower down, it is noted that the attack "requires... administrator [privileges]", but goes on to say that "a determined attacker can always find workarounds". WTF??? It's an attack the purpose of which is to malware running wi

Re:

[ThinkFr33ly]

It was modded as flamebait because of my Bush Administration comment, I'm sure.

Really, it was flamebait I guess... but my other points are valid regardless of my unnecessary, but imho funny (and accurate), political analogy.

Re:

[plover]

. . . why didn't this happen before? Did it happen before and just now somebody found out?

Well, that's exactly the problem with undisclosed vulnerabilities. You never know if someone has used them before or not. At least publishing a vulnerability will make sure that if someone was exploiting it, they'll be out of business once it's patched.

Re:

[zero_offset]

RTFA. It doesn't exploit Windows Update.

First you install a trojan. Then the trojan uses a background FTP process (which is also used by Windows Update) to download additional malware -- but your machine is already compromised at that point.

Re:

[Jessta]

Note: if you have malware installed on your computer with administrator privileges you can't trust your software firewall. You can't trust your anti-virus. You can't trust your OS installation at all.

Yes, you can.

[DrYak]

if you have malware installed on your computer with administrator privileges [...] You can't trust your OS installation at all.

No, I don't agree.
No matter what, buggy drivers, compromised machine, spilled coffee, you can always count on your trustworthy old friend, mister Blue-Screen©® !