Malware Hijacks Windows Update

clickclickdrone writes "The BBC are reporting a new piece of malware is in the wild that can hijack Windows Update's functionality and bypass firewalls allowing it to install malicious code on users PCs. The new code was discovered by Frank Boldewin in an email. The attack utilizes the BITS system."

Maybe we should call it...

[Cytlid]

...son of a BITS.

Typical Microsoft response

[Black+Parrot]

From TFA:

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered. That makes me feel so much safer.

Re:Typical Microsoft response

[Silver+Sloth]

Much as I'm no M$ fanboy they do have some justification. The 'new' aspect here is how the virus downloads additional malware, not the initial attack vector.

However, given the time I spend helping my less technical friends clean up their PCs you do definitely have a point!

Re:Typical Microsoft response

[SparkyFlooner]

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Re:Typical Microsoft response

[gazbo]

It's even worse than you think. I've just examined some viruses in the wild, and every last one hijacks standard Windows system calls in order to read and write to the file system. Some have even found a way of hijacking the GDI to display adverts to users.

When will Microsoft patch these vulnerabilities?!

Re:Typical Microsoft response

[0racle]

I bet if you replaced Microsoft with Red Hat and BITS with any local root exploit you'd be saying how much more secure Linux is.

Re:Typical Microsoft response

[MillionthMonkey]

No OS is immune to Trojans, especially when they are intentionally installed by clueless users. I saw this article summary and thought a worm was going to arrive today on Windows Update.

Not that it would matter- I always choose "Custom Install" anyway because otherwise I'll end up with Windows Genuine Advantage which I think fits the definition of a Trojan.

Re:Typical Microsoft response

[Kynmore]

Except for the time travel part, I wonder how far off we are from seeing corporate SWAT teams go in for the kill on people who fux up their products, steal insider info, etc. Rise of the Megacorps!

Re:Typical Microsoft response

Oh, you mean like Time Runner (http://imdb.com/title/tt0108342/)

Or perhaps The Time Guardian (http://imdb.com/title/tt0094152/)

Re:Typical Microsoft response

That sounds about right.

Re:Typical Microsoft response

[J0nne]

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

Well, Microsoft's response makes a lot of sense. You could trick a user into running sudo trojan.sh on Ubuntu too. After that the user is screwed anyway, as trojan.sh could contain anything, including something that edits /etc/apt/sources.list to the attacker's repo's.

What do you want MS to do to stop this from being possible? If the user runs a random executable as root/admin that modifies the system, he's screwed on any OS. If the executable got onto the system through a security hole, that hole should be plugged.

I don't like MS either, but cut them some slack here...

Re:Typical Microsoft response

[Ravnen]

I think the issue is that this can help malware to hide itself on a machine it's already infected, by using this BITS service to silently bypass policy settings. BITS itself runs with 'SYSTEM' privileges (the closest thing to 'root' there is on Windows), but I can't tell from the article if malware run by a normal user can hijack BITS, or if it has to be run by an administrator. In the first case, I'd consider it a security vulnerability, but not in the second.

Re:Typical Microsoft response

[HTH+NE1]

"Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future." They call it ConunDRM.

Re:Typical Microsoft response

[Phu5ion]

Yet another "what should their response have been" reply.

MS spokesperson: We have a workaround. Go download and install Linux today!

Re:Typical Microsoft response

[Vancorps]

huh? I mean seriously, huh? What century are you in?

Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.

Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.

Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.

I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.

Re:Typical Microsoft response

[Vancorps]

Cheers to that, I thought the same thing. In my company I have to authorize all the updates which get pushed to all the workstations so such a thing wouldn't work here even if it were possible. WGA is the sole reason I'm always careful come update day, I always have to make sure its not selected, I wish SMS had a hide forever feature like Automatic update does.

Re:Typical Microsoft response

Don't blame users. Its the windows operating systems' design that's at fault here.

Re:Typical Microsoft response

In Windows land, 98% of users are Admin. Nobody even heard of group policies unless they read some clever OS trick on a popular site. I don't say they are fools, they are just normal users.

Obvious way could be forcing the user to use their computers as non admin, give easy/practical access to that specific setting. It is not very obvious if you tell user to make their own group access policy on a home computer. These people barely checked their disk unless they weren'T instructed to do so.

Let me tell the hard way. Get rid of FAT support on Windows which is the root of entire USB stick problem. Force users to use NTFS which has clue about user rights. Give them hell if they keep using that junk. Let me give example: Apple refuses to index fat formatted drives via spotlight engine. Obviously they don't want to danger their users private data on a filesystem which should be already gone away with floppies. At least they don't want to be part of problem. I don't claim NTFS or HFS+ or anything else than FAT is perfectly secure, I am saying at least they aren't that easy to steal data.

They won't remove fat anytime soon since even high end cameras come with... fat formatted memory! Yes, professionals keep their expensive data on non journaled, impossible to fix, zero security data thanks to Camera/Memory vendors. They also pay $$$ to Microsoft for that junk! Every single USB stick sold is another FAT.

Who forced them this time? Ext2 or even HFS+ filesystem open there along with source. Who forced large USB key vendors? I'd trade NTFS anytime to FAT even on OS X.

Re:Typical Microsoft response

"Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Yeah, so they can inflict a little bit of Van Dammage!

Just hope Frank Zito doesn't show up on behalf of the malware guys though...

Re:Typical Microsoft response

[vertinox]

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Sure, but I think it would be more cost effective if they made the OS impossible to have a Trojan in the first place.

Here is my take... A 3rd party application should never... EVER be able to modify anything with the OS unless the user specifically jumps through hoops of fire to allow this. It should not be a cancel or allow type of think, but you specifically had to go and enable a root account and click through at least two prompts and one requiring an admin account password. A 3rd party program should not be able to call this feature automatically, but must be instituted by user action.

The maximum amount of damage any program should be allowed to do is delete your home directory.

The problem here is that this program if it does get run on someone computers has the ability to attack the OS (or getting the OS to something automatically without user intervention), which IMO is a big no no for OS design.

Re:Typical Microsoft response

[Ornedan]

Though I do agree that FAT should be ditched, your argument about other filesystems being inherently more secure is false. The data is no more encrypted by using EXT or NTFS than it is by using FAT. About the only added complication I can see is that the attacker might in some cases need root on the box they use to read the disk - depending on whether the driver used respects access control bits.

Re:Typical Microsoft response

[Ucklak]

I think you mean Tangents (http://imdb.com/title/tt0145529/)

Re:Typical Microsoft response

[O'Suilleabhain]

""..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future." "" That may be a less expensive solution...

Re:Typical Microsoft response

[plover]

Who said they changed any system files? This particular exploit is simply piggybacking on the authority of an OS service, but it sure didn't have to change anything to make it work.

There are provisions in Windows for injecting a DLL into a currently running process (SetWindowsHookEx). The malware author could simply set the hook, which would inject code into this other process. He could then use the hook as a proxy to do his data communication without tripping the Windows Firewall. BITS is a good choice because anyone getting updates already has a hole poked in their firewall for it.

Re:Typical Microsoft response

[Tridus]

You can set up a million hoops, clueless users who want to have flashing emoticons in their email (or whatever the current scams are) will still go through them.

There is no way to program around users that blindly say yes to every prompt. There is however a way to create users who blindly say yes to every prompt, and that is throwing a million prompts at them every time they want to update their video card driver.

Re:Typical Microsoft response

[vertinox]

Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence.

But it isn't like this out of the box! There are millions of people who do not have the knowledge for the home computers and I dare say there are plenty of Network Admins who are clueless too.

Hence, this is why OS is designed improperly. It should be secure as soon as you install it... Not after tweaking it and locking it down.

This is why we have millions of zombies sending you and me spam on a daily basis. An OS should be locked down by default and then users should unlock features they need.

Re:Typical Microsoft response

[PitaBred]

But you'd have to get them to type "sudo" or supply their user password to run it. Windows? You double click on the attachment that says "Parits Hilton Bewbiez!", and click "Ok" on the warning, and you're hosed. Which one do you think is more likely to happen?

Re:Typical Microsoft response

The maximum amount of damage any program should be allowed to do is delete your home directory. For many people, losing their data is a lot worse than having to reinstall the OS.

Re:Typical Microsoft response

[SparkyFlooner]

If they don't have the knowledge to lock it down, they won't have the knowledge to unlock it, either.

Re:Typical Microsoft response

[vertinox]

There is no way to program around users that blindly say yes to every prompt.

I'm not suggesting providing a prompt at all. If a program wants to modify the OS, it should not be given an option. It should not even prompt to run the password for an admin account. It simply should not be allowed.

If a user really wants to install it, they they need to run an application much like OS X's Net Info manager which they had to specially type in a string text to enable the root account.

(I would like to also point out that OS X does allow programs and installation packages to modify the OS which without root which is a flaw as well... It will require you a password, but I personally disagree with this policy was well and I'm surprised we haven't seen more OS X viruses)

I just feel that the OS should remain the same of regardless of what is going on or being installed and the applications change to work with it... Not the other way.

Re:Typical Microsoft response

[J0nne]

That's not the point. Getting the original trojan installed is the difficult part. After it's installed it can do whatever it wants. Getting it installed on the system is easier on Windows than on Linux / OS X, but this article is about something that happens after the trojan was run, and that's something no OS can't protect you from.

What do you want MS to do? disallow even the administrator from writing to system files? The only thing that could protect you against stuff like that is "trusted computing", which means your computer isn't yours any more.

Re:Typical Microsoft response

[amohat]

WGA will not hide forever...it will pop back up even after you tell it not to. Eternal vigilance is needed. I'm just thankful that MS named it properly and doesn't get really shady.

Re:Typical Microsoft response

[ajs318]

Sorry, you failed it when you said "group policy". Who the hell actually uses that? It's used less often than a pay toilet in a forest, or a Slashdot user's rubber johnny.

Re:Typical Microsoft response

[ajs318]

Beh. At least it won't be spewing out adverts for fake pills and poorly-performing shares.

Re:Typical Microsoft response

Would you like to hijack BITS? Cancel or Allow?

Re:Typical Microsoft response

[ArhcAngel]

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

That is one of the features for VISTA that got nixed during development.

Re:Typical Microsoft response

But you'd have to get them to type "sudo" or supply their user password to run it. Windows? Or you you could just install in the user's home directory and wait until the user invokes sudo. After that you could invoke sudo yourself without the user seeing it, since, by default, Ubuntu is configured to cache the password for fifteen minutes after sudo is invoked.

Re:Typical Microsoft response

[SparkyFlooner]

Don't get me wrong, I'm with you. I like the idea of an OS being locked down on install and let me start only the services I need. But I'm a developer, so I'm familiar with computer management. But a lot of people are reluctant to change things in the OS for fear of breaking something and not knowing how to get the computer back to the way it was before. Microsoft has to cater to these users. So I install windows and go about securing it and then get on with my life.

Re:Typical Microsoft response

[zooblethorpe]

I'm just thankful that MS named it [WGA] properly and doesn't get really shady.

Just wait. I'm fully expecting some asshat there to decide that WGA should now be regarded (and renamed) as one of the many "critical system updates" that MS sends out, and blammo -- everyone's got it. New, Improved! It's Microsoft Clap(TM)!

Re:Typical Microsoft response

[gad_zuki!]

>That makes me feel so much safer.

It should. They are running a program with admin rights on a box, and we're supposed to be scared about what it can do to windows update? It can pretty much do anything its coded to do. Of course the slashdot blurb implies that someone has hacked wu.

Re:Typical Microsoft response

[lenester]

If a user really wants to install it, they they need to run an application much like OS X's Net Info manager which they had to specially type in a string text to enable the root account.

This is a great way to get everyone to buy the competitor's OS because yours is "too inconvenient."

Re:Typical Microsoft response

[cheater512]

Your giving examples of Windows security but they mean nothing in the real world.

Read only flash disks? Meh. A virus can still jump across and screw up the entire network.

Completely useless 'security'.

Re:Typical Microsoft response

[pe1chl]

BITS will download files for any user, but it will only download files to directories writable for the user making the request.
So, a normal user won't be able to download files into the system32 directory.

Not that it will make any difference, as the average Windows user probably is working as an Administrator all the time.

Re:Typical Microsoft response

[Vancorps]

Fine, apply one of thousands of custom security templates that Microsoft has on their site, makes it just a double click, accept, reboot.

Re:Typical Microsoft response

[pe1chl]

That has already happened!
When you install Windows XP, and visit Windows Update, it will first download and install the ActiveX stuff (as before), and then it will tell you that "Windows Update has improved blah blah blah" and it offers WGA for installation. There is no way to remove it, cancel around it, or whatever and still be able to install the critical updates.

The only thing you can still do is enable automatic updates and wait for them to be downloaded and offered for install, then you can skip the WGA when you are careful.

Re:Typical Microsoft response

[Vancorps]

I already agreed that it was designed improperly, just the items mentioned by the parent were completely false. With that said Microsoft does provide security templates on their website that anyone can download and easily apply to their computers. Microsoft's install-base is far too large to lock down every feature otherwise new installs would piss people off more than they already do because they have to re-enable file sharing, rpc, remote desktop and whatever other services that would be handy for even a home user.

It's always been the biggest complaint I receive about Linux distros, you have to go through an enablement process before you can plug in your scanner or your brand new printer or webcam. Distros like Ubuntu have made great progress on this front but they are coming at it from the opposite end that Microsoft is. Both camps are heading to the same location where it "Just Works" and is safe

Re:Typical Microsoft response

[Vancorps]

If my security policy disables the ability for the user to execute anything but the trusted apps I have on their machines which I can manage and monitor in real-time via SMS/MOM then no virus or trojan is going to jump anywhere because it will never have a chance to execute. The mechanisms are there, they are no more hidden than a config file in a linux distro. I was also not giving examples of Windows security, I was stating how false the parents claim was that you couldn't do it.

The focus these days is turning that functionality into practical application, something easy enough that home users can manage it themselves. That's what Microsoft is trying to do with the Cancel Allow crap.

Re:Typical Microsoft response

[dave562]

Sorry, you failed it when you said "group policy". Who the hell actually uses that?

Anybody who knows anything about administrating a Windows network uses Group Policy. Hell, you can even run a local policy on the workstation even if it isn't connected to a domain controller.

Re:Typical Microsoft response

[ajs318]

Yeah, sorry, wrong threat -- read-only is just to prevent anyone or anything from snarfing your data. Read-only and non-executable would be much better (barring a deliberate act on the user's part, something would have to copy it and execute the copy, which implies your system would already need to be compromised in order to get compromised that way).

Re:Typical Microsoft response

[Glytch]

>Read only flash disks? Meh. A virus can still jump across and screw up the entire network.

In all seriousness, you're right, but... maybe we should be using write-only flash disks?

Re:Typical Microsoft response

[kcarlin]

Ran across that last week building a new XP box. But the customer requires it, so I have been assimilated.

The prompt box said that I had to accept the WGA update to complete the Windows install, the license in the box said that by clicking I was attesting to my free and uncoerced acceptance of the wonderful benefits of WGA. And when I got compromised while still setting up and had to start over, I had to spend fifteen minutes on the phone to tell a live Microsoft rep that I was installing on only one box to get an activation code to turn off Microsoft's ticking self-destruct sequence. Having just shelled out over half a grand for their products, being run through the renowned Microsoft Customer Contempt, Revulsion, and Aggravation Process (CCRAP) was especially gratifying.

The only bright side is that the box will be used to port customer requirements from Windows to other platforms.

Re:Typical Microsoft response

[pe1chl]

Fortunately we have a site license so WGA is just happy and activation is not required.
But still, I don't like the way we have to jump through hoops only to prove that we are not pirates.

(IMHO, Microsoft are fully right that they service only paying customers. Windows is a commercial product, and those who do not want to pay for it can choose Linux or another alternative. I don't mind that they try to keep the pirates out. However, the WGA is mainly a disadvantage for paying customers, and no hindrance at all for pirates)

Re:Typical Microsoft response

[cheater512]

If my security policy disables the ability for the user to execute anything but the trusted apps I have on their machines

Yeah my old school tried that one. So goddamn easy to bypass.
Took us a week or two to find half a dozen ways to get around it. The admins eventually gave up.

Re:Typical Microsoft response

[dbIII]

thoroughly confused as to what you think administrative users can't do.

They can't modify the registry once some trojan changes some things in there and runs itself again on reboot. Anyone know of a good offline registry editor that can run from a bootable CD to fix stuff for those idiots that do not have install media or backups and wipe and reinstall is not an option after their machine has been compomised?

Re:Typical Microsoft response

[Nefarious+Wheel]

That is one of the features for VISTA that got nixed during development

The problem was coming up with a palindromic EULA that didn't require pentagrams on the floor.

Re:Typical Microsoft response

[Vancorps]

If you're talking about Fortres or Deepfreeze then you are correct, I'm talking about the integrated Microsoft approach which is far more difficult considering, if you replace a trusted exe then MOM will instantly alert me and SMS will push out a new copy of the trusted executable. I've yet to see someone break it. I'm sure its not impossible but its not as easy as you make it sound. I can make it even more difficult through the use of Tripwire but I only deploy that on extremely critical servers.

Re:Typical Microsoft response

[PitaBred]

Yes, getting the original trojan installed is the difficult part. I'm just saying it's an order of magnitude MORE difficult for that initial step to happen on Ubuntu than it is on Windows.

Re:Typical Microsoft response

[cheater512]

Nope. This was using Active Directory.

You'll find that it will only stop programs from being executed the usual way (e.g. Run, Explorer, Shortcuts, etc...). There are other ways to execute a program.

Re:Typical Microsoft response

[Ant+P.]

Maybe they should steal a few ideas from SELinux then, since it can block exactly that sort of stuff.

Re:Typical Microsoft response

[Vancorps]

That is not possible as nothing in Active Directory decides that. I'm talking about DEP which I've never seen an exploit for to date. When you have SMS and MOM in your network you have a considerable amount of control over the desktop. The list of supported software is stored on the central database and would be very difficult for any malware to modify the list to support additional software. Not impossible, but I would say highly unlikely.

Re:Typical Microsoft response

there is a way around the forced WGA install after upgrading to the new autoupdate activex crap... use a proxy and rewrite the page, it'll allow you to stop the WGA download and bypass the error after wards. And continue to install other updates.

Re:Typical Microsoft response

[Bungie]

I think you're thinking of the usual Explorer policies being applied to the system. In that case you can still of course use CMD or sometimes even the Microsoft Common Dialog to open applications. But the method that the parent post was talking about actually does restrict those methods from working as easily.

Re:Typical Microsoft response

[Bungie]

Try making a PE disc with Bart PE. It will allow you to make a bootable Windows disc that has an offline registry editor.

Re:Typical Microsoft response

[Bungie]

Whoops!! Sorry! Grabbed the wrong link to the PE builder. This is the correct one.

Re:Typical Microsoft response

[Meski]

Trusted Applications. These are the same "trusted applications" that every week, get this kind of bulletin "This vulnerability could allow an attacker to gain complete control over a [insert your Windows version here] system." from Microsoft. And those are the ones that Microsoft and others publicize. So you take control, get it to run something like regedit, set permissions for "system" to deny write/delete for the policies section of the registry. Group policies can no longer get written out to this machine. Turn on a software firewall and block the machine that pushes out new copies.

Re:Typical Microsoft response

[dbIII]

I did that six months ago and chose a lot of options for a few builds but no offline registry editor. Any idea which program you include on it to do this task? Nuke and reinstall is the only way to be sure but all my freinds that are windows advocates are both blatant pirates (no install media) and unable to fix these problems themselves.

Re:Typical Microsoft response

[gazbo]

What - some sort of system that would let the user decide whether to cancel or allow the action? Intriguing...

Re:Typical Microsoft response

[Vancorps]

MOM would detect that configuration change, SMS would change it back and force a reboot before anything could be done. Even if you changed the permissions on the registry the current group policy still applies, so regardless the attacker would have to reboot the machine which would SMS would pull the configuration. Last I checked those vulnerabilities only applied to opening untrusted documents on a trusted machine. To if you were going with a whitelist for management which in my mind is far too restrictive then you wouldn't even be able to run regedit as only SMS is allowed to modify the registry, or administrators of course.

I could be wrong but I haven't found any privilege escalation problems with Word 2003/2007, all the security bulletins are for opening documents which the user shouldn't have had access to in the first place. Security is difficult to maintain, but not impossible given enough resources. The same holds true for all the Linux distros out there. It's a universal, local privilege escalation is an issue in every environment, even OpenBSD.

Re:Typical Microsoft response

[Bungie]

You should just be able to do it from the copy of RegEdit they inclide in the BartPE boot disk. When you open it you can choose 'Open Hive' from the File menu and browse to the registry files (C:\Windows\system32\Config') and load them into the editor. You need to give them unique hive names in the editor, but they should work as usual.

Re:Typical Microsoft response

[Meski]

The group policy still applies til you reboot, true. You reboot, SMS *tries* to change it, but gets access denied because the account that it runs as, SYSTEM, is denied access. Denied takes priority over grant. I've tried it, I *know* it works.

Re:Typical Microsoft response

[Vancorps]

How are you planning on changing the permissions in the first place? It's a moot point regardless as the MOM agent will detect the machine is out of compliance and alert me allowing me to visit the machine.

Denying access to a tool like regedit would be a pretty basic first step towards securing a desktop, a no brainer. Fortunately it's not a machine policy but a user policy so as admin I can login and still have my full functionality unlike traditional group policy restrictions. Even if the user had access to regedit they wouldn't have the ability to look at the portions of the tree that affect group policy so I still don't see how someone could disable SMS's ability to enforce policy. What am I missing? Where was the user granted permission to make changes to the registry?

Re:Typical Microsoft response

[Meski]

see parents parent, or whatever.
Trusted Applications. These are the same "trusted applications" that every week, get this kind of bulletin "This vulnerability could allow an attacker to gain complete control over a [insert your Windows version here] system." from Microsoft.

Read the words "complete control" It doesn't say "complete control, excluding MOM and SMS". You say you'll visit the machine. Nice, if its on the same floor as you. Potentially, it's on a VPN hundreds or thousands of kilometres away.

Windows as an OS continues to be vulnerable. Has there been a month that hasn't had a security patch?

Re:Typical Microsoft response

[Vancorps]

You mean like the RPC vulnerability for Microsoft DNS server? A vulnerability that only matters because people are idiots with security and allow management over the Internet without any encryption? The majority of those vulnerabilities mean nothing if you have setup the machines properly. With basic user level access I've yet to see a trojan than can infect a machine mysteriously. All those vulnerabilities require the user to run a piece of code which isn't trusted. So you really didn't answer the question. How do you run an exploit when you're only allowed to run a select list of executables which is managed from a central database that users only have read access to?

Also, if the machine I'm monitoring is a long distance away then I will call someone who is not that far away to check it out for me. It's basic practice, when something goes out of compliance then no amount of control of that machine is going to impact the analysis that my server has of the machine. They would have to know an awful lot about how the system was deployed, at that point it's less of a technical security problem and more of a cultural one. If people are giving out sensitive information, enough to exploit such a system then users need to be educated about social engineering. Besides that it really doesn't matter what the users know since all management is out of their hands. This is why corporations actually like Windows, this monitoring and management is easy as pie, far easier than any implementation I've ever seen on any Linux distro or Unix variant. All the platforms except for seemingly OS X seem to support this stuff, I'm unsure why people would go through the trouble to deploy it when it is as easy as you say to exploit, although there has never been an exploit for a system such as that. When you've gone through that much trouble you will experience mandatory profiles and at best folder redirection which really makes it hard for any malware to spread or even infect one system.

With basic security in place the majority of malware is pointless and meaningless to me. There is a reason none of the machines in the company I manage machines for have any malware beyond that of cookies which are wiped at login. The beautiful aspect is that some cookies I can store centrally such as cookies for the company Intranet so I can always ensure compliance. That word has been a central theme in corporate America since Windows 2000 came out. Compliance Compliance Compliance! It's a pain in the ass and Microsoft has made is more and more complicated these days but they do make it easy to track compliance.

ZoneAlarm

[faloi]

I would've sworn ZoneAlarm flagged Windows Update attempts. I guess I need to double check when I get home.

Re:ZoneAlarm

[Jessta]

Note: if you have malware installed on your computer with administrator privileges you can't trust your software firewall. You can't trust your anti-virus. You can't trust your OS installation at all.

Your machine has just been updated

[liledevil]

14 new virusses have just been installed
please restart your machine to become a zombie

Re:Your machine has just been updated

Brains...

Re:Your machine has just been updated

[thestudio_bob]

14 new virusses have just been installed
please restart your machine to become a zombie

Accept or Deny?

This will never get old...

Re:Your machine has just been updated

[heinousjay]

Only if you redefine never to be some time in early February.

Re:Your machine has just been updated

14 new virusses have just been installed
        please restart your machine to become a zombie

"that's the dumbest fucking idea I've heard since I've been at Microsoft."

Makes me wonder . . .

[SpeedyGonz]

. . . why didn't this happen before?

Did it happen before and just now somebody found out?

Re:Makes me wonder . . .

[plover]

. . . why didn't this happen before? Did it happen before and just now somebody found out?

Well, that's exactly the problem with undisclosed vulnerabilities. You never know if someone has used them before or not. At least publishing a vulnerability will make sure that if someone was exploiting it, they'll be out of business once it's patched.

Re:Makes me wonder . . .

[zero_offset]

RTFA. It doesn't exploit Windows Update.

First you install a trojan. Then the trojan uses a background FTP process (which is also used by Windows Update) to download additional malware -- but your machine is already compromised at that point.

Not one the the better MS Patents...

[ITMagic]

Ah! One of the many Microshite's patents that didn't manage to make it into the Linux sourcecode. Perhaps Novell could implement this feature?

Correct link

[Random+Walk]

Frank Boldewins site is http://www.reconstructer.org/, not http://www.reconstruction.org/.

Re:Correct link

Frank Boldewins site is http://www.reconstructer.org/, not http://www.reconstruction.org/.

What's worse? A weird Christian page or one that consists only of Flash?!

Re:Correct link

[morgan_greywolf]

What's worse? A weird Christian page or one that consists only of Flash?!

The weird Christian page; unless you happen to be running Linux x64.

Re:Correct link

[PitaBred]

Install the 32bit Windows libraries, then the 64bit version of nswrapper, and wrap Flash with it. Flash on under 64bit, embedded directly in a 64bit browser, with no warnings or annoyances.

Makes perfect sense

[Megaweapon]

With a lot of people doing auto-updates might as well target what will be the predictable weak link. I'd bet some people have their auto-update run more often then their virus scanners anways.

Re:Makes perfect sense

[zero_offset]

RTFA, the summary is incorrect. It doesn't exploit Windows Update.

Re:Makes perfect sense

[Ilgaz]

It is a very bad thing. The people Microsoft could hardly manage to enable auto updates via several nag tactics will disable their setting now. All the framework, digital signatures means nothing.

I really hope MS fires who is responsible for that glitch.I enabled auto updates on every single non technical users Windows machine I know. Now they will get latest and greatest spyware even with auto resume options and... version checking!

Re:Makes perfect sense

[dave562]

You're a tool and I'll take the -1 hit for pointing it out. Auto Update isn't going to download files the machines you twit. The trojan uses auto update functionality to download additional malware. If auto update was off, it wouldn't matter because you failed to secure the box properly in the first place and let the trojan in.

If you setup the box right and let the user run as a normal user account, Windows is pretty freakin secure these days. I have set up a bunch of boxes for people like my sister, the kids of some employees at my clients, and my parents. Everyone except my parents uses Myspace, Facebook, IM clients, the whole nine yards. Yet oddly enough, the only "tech support" call I've had to deal with in the last six months was from my sister because SHE COULDN'T INSTALL SOFTWARE BECAUSE SHE WASN'T RUNNING AS ADMINISTRATOR.

Security quiz linked from TFA

[AmIAnAi]

Linked off TFA is a quiz checking readers' knowledge of computer security issues. I just love the first answer for question 10:

What is a DDoS attack?

A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux

That's one botnet I'd happily join

Re:Security quiz linked from TFA

[iainl]

It's a bloody good job the BBC are big enough to withstand a slashdotting, otherwise that would be looking a bit foolish...

Re:Security quiz linked from TFA

What is a DDos Attack?
In layman's terms
If your under a DDOs attack..
You keep on Knock-in but-cha can't get in

Re:Security quiz linked from TFA

[mowall]

What is a DDoS attack?

A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux
Ah, that'll be a "Die Dreadful Operating System!" attack.

Re:Security quiz linked from TFA

[Vexorian]

I want a recount, first of all how come knowing which platform the first virus ever invented targeted is any useful for my security knowledge?

Then the serious complaints:

Q: Windows is nagging you to update the operating system. What do you do?

Alleged correct answer: "Install the updates as soon as they become available" , wtf? What if I don't want any WGA trojan?

Q: You need to choose a password for the account you have set up at an online shop. What do you do?

The answer for most is "Pick one that combines letters and numbers that make it hard to guess" but the answer to me is someone that is closer to "Use the same one as you use on every other site", in fact it is a combination of both, you would have like 3 different passwords, one very simple that you use for things that don't matter (I seriously don't have much issues about losing the account I use to comment youtube videos...) Another one for medium importance things, and a big one I only use on the very important ones.

The problem with the utopical approach to passwords (choose a different one for every single site, and always a long alphanumeric one) Is that you don't get to remember the passwords, so people tend to need a big file or paper with the passwords written and that's a real vulnerability if you ask.

Windows is safe!

Hi,
I have my own awesome blog whose url I certainly don't need to post here since I expect you all to know it already.

I just talked with my friends at Microsoft and they told me that

"Windows is safe!"

and it seems ridiculous to care about such small issues when 9/11 was only 6 years ago. You people should really step aside and look at the things from another perspective.

Maybe from above like the Lord does.

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

Bill and Melinda think of the children. Do YOU?

Re: Windows is safe!

[Black+Parrot]

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT. Surely it's not too much trouble to pray that your Windows box will be secure too, while you're at it.

Re:Windows is safe!

[ajs318]

The Gateses are atheists (proof that someone can't be all bad). Your prayers aren't going to make any difference to them.

Re: Windows is safe!

Well, He might be omnipotent enough to create logical fallacies and Creationists, but that doesn't mean He's powerful enough to fix Windows.

Re:Windows is safe!

[PhxBlue]

Jerry, is that you??

Re:Windows is safe!

Bill and Melinda think of the children. Do YOU?

I do, that's why I use condoms.

After having read TFA...

[akarnid]

I've come to the conclusion that reformed ministers in Japan do moonlight as malware/bug/virus hunters. Too bad I couldn't find anything on his site tho :)

link to Boldewin's page incorrect

[jrtom]

It's http://reconstructer.org/ not http://reconstruction.org./

Also, Brian Krebs' blog has an informative post on the phenomenon.

Wrong Link

[tprime]

Email came from reconstructer.org NOT reconstruction.org. The latter is a religious site.


www.tomandemily.com

Re:Wrong Link

[Joebert]

It's a sign...

Huh ?

[Denis+Troller]

Please, proof your links when posting. the "discovered by Frank Boldewin" link takes you to http://www.reconstruction.org/, a "christian reconstruction" website instead of the proper http://www.reconstructer.org/ (Frank Boldewin website).

Granted, TFA links to the proper website while displaying "reconstruction.org". Still...

A little overstated

[140Mandak262Jamuna]

Yes, it makes life a little easy for the hackers, after they have compromised your system. But all users whitelist their browsers in their firewall software to make outbound connections. So in what way is it more dangerous than the virus using IE (or Firefox for that matter) to download more bad stuff into the computer? Once the machine is compromised, it can use even ftp to download stuff. Dont blame ftp or Firefox or IE. Blame the OS that allows the machine to be compromised so easily.

Re:A little overstated

[0123456]

"But all users whitelist their browsers in their firewall software to make outbound connections."

Speak for yourself. I have Zonealarm block every IE connection unless I specifically allow it... no way will I trust that piece of crap to go talking to random web sites without permission.

Re:A little overstated

[jrumney]

My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.

Re:A little overstated

[140Mandak262Jamuna]

Well, have you whitelisted Firefox? Or do you click "allow" everytime you launch the browser? Looks like you are paranoid enough to avoid trojans. But if you do get such a malware, and if it uses Firefox to download more stuff, would you blame Firefox?

Re:A little overstated

[140Mandak262Jamuna]

My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.

But it is a conjecture or speculation on your part. It is possible that MSFT has given more privileges to BITS over other parts and a privelege escalation vulnerability could be found in future. But as of now, malware using windows downloader is no different from malware using firefox, Infernal Exploder or plain vanilla ftp.

Re:A little overstated

[mhall119]

Presumably even if you have Firefox whitelisted and a trojan uses it to download more malware, that malware can only be run with user permissions, not "System" permissions like BITS has. Therefore the amount of damage Firefox can do on a decently designed OS is limited to the damage a non-privileged user account can do, and no more.

Re:A little overstated

[CerebusUS]

BITS doesn't do installs, it only does rate-limited transfers. Malware downloaded by BITS would still need higher-level privs to install into the system. All BITS does is avoid the "XXX program is trying to use the internet" message that windows throws up.

Re:A little overstated

[MadMidnightBomber]

For one, because your security admin is used to looking at a record of dodgy website visited - in terms of drive-by downloads, I'm not talking about porn here. Now s/he needs to check whether BITS downloads are going to real MS servers or not.

Re:A little overstated

Then your guess is completely and utterly wrong. But hey don't let that phase you, most on slashdot have very little clue.

This is not an attack vector, it is purely a download mechanism, no different from using IE, firefox or any other mechanism. It doesn't let you execute code or overwrite system files, in fact BITS will only write to folders that the calling processes user has access too. But hey why let the truth get in the way of a chance to spread FUD.

Re:A little overstated

[mhall119]

Ah, thanks for the correction. You're right, this exploit is kind of trivial, since it requires the attacker already has complete access to a system. It just used BITS to bypass firewall restrictions.

It's kind of like saying that once a thief gets into a safe, it's easy for him to steal all your money.

WGA

The good news is that it only installs the malware if you're running Genuine windows.

Manual updates at risk?

[Urban+Garlic]

It sounds from the article (yes, I read it, no, I'm not new here...) like surfing to a malicious website will cause this BITS background downloader to then pull in additional firewall-bypassing malware right at that time.

If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.

Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm surfing as a low-priority user and hit this malware, can it still make BITS do the more-malware download?

Re:Manual updates at risk?

I don't believe you RTFA as it specifically states "The bypass relies on [Jowspry] already being present on the system; it is not an attack vector for initial infection.

The bypass most commonly occurs after a successful social engineering attempt lures the user into inadvertently running [Jowspry], which then utilizes BITS to download additional malware."

HTF did you interpret that as "surfing to a malicious website will cause this BITS background downloader to then pull in additional firewall-bypassing malware"??

In any case, with interpretations like that, you certainly fit right in with the rest of the /. crowd...

-AC

Re:Manual updates at risk?

[EvilGrin666]

If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date. Manual downloads from Windows update use BITs. Check %SYSTEMROOT%\WindowsUpdate.log while doing an update if your curious.

Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm surfing as a low-priority user and hit this malware, can it still make BITS do the more-malware download? BITs runs as a service under the system account. It can do whatever it wants. However it needs to be woken up to do it, as it's default service state is set as 'Manual'.

Re:Manual updates at risk?

[Applekid]

There's always Windiz Update.

Re:Manual updates at risk?

[Copperhamster]

BITS is just yet another way of delivering software to your machine. It's supposed to allow you to download stuff like updates without hogging all your bandwidth. Works well on cable/dsl. Dial up or ISDN, not so much. There are other companies that use BITS for various other applications, for example Sony OE uses it when they are rolling out a big big patch in SW: Galaxies to roll parts of it out early, in theory while you are playing without impacting your game. Again, on Dial up or ISDN that doesn't work so well, so they let you turn it off. Imho it was only a matter of time before BITS was hijacked for this purpose. I'm not saying I saw this coming, I really hadn't thought about it, but it's just another vector for malware to get to the internet and download software to your machine. A vector that is normally 'trusted'.

Again, the kicker is that (as I understand things) there has to already be some program (malware) on your computer to request additional malware through BITS. That malware could conceivably be a Java or ActiveX program running in your browser, or something an exploit causes to be dropped and run. BITS is not an attack vector in and of itself at this time.

I imagine Vista would probably pop up a confirmation window about allowing something access to BITS if you were running as a low-privilage user, but I'm not sure.

Re:Manual updates at risk?

[mvdwege]

I have done a Windows 2000 install just this weekend, and I can tell you the following:

1. BITS must be enabled for Windows Update to function.
2. Worse, the auto update feature must not just be enabled, it must be set to 'Automatic' for Windows Update to function.

Now, unless like me you start services.msc every time you want to do updates and manually turn on BITS and set auto-update to Automatic, and disable them afterwards, you're hosed.

Thankfully, my Windows 2000 installation is not used to browse the web, but mostly as a standalone gaming system, and heavilly firewalled at that (with a real firewall), but this news still makes me happy for being paranoid.

Mart

Re:Manual updates at risk?

[mvdwege]

BITS status as 'Manual' is meaningless, as it can be started by the auto-update service, which must be set to automatic for Windows Update to even function. Merely setting auto-update to 'Manual' and manually activating it does not work.

Mart

Re:Manual updates at risk?

[EvilGrin666]

Which is why I said "it needs to be woken up". Either by the ActiveX control that makes update.microsoft.com work, the automatic updates service or some 'Evil Trojan' as TFA mentions.

click here

[gEvil+(beta)]

Is your Windows Update not infected yet? Click here to infect it!

Re:click here

[Tribbin]

You are right!

I clicked on the link and it redirected me to http://127.0.0.1/apache2-default/ and the page confirms that it works!

Let me be the first to say...

[SadGeekHermit]

If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

Me, I'm relaxed and enjoying a soda.

Re:Let me be the first to say...

[value_added]

If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

Ok, so I feel detached and amused, but I'm still left wondering why it is that Windows users always seem to have all the new neato features.

From Symantec's Malware Update with Windows Update

It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth. It's a very nice component and if you consider that it supports HTTP and can be programmed via COM API, it's the perfect tool to make Windows download anything you want.

Re:Let me be the first to say...

[Dragonslicer]

It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth

Is there anything else to say besides "Uhhhh...."?

Overblown

[MrNonchalant]

It should be pointed out that malicious code needs to already be running on the host machine to use this.

Re:Overblown

[Volante3192]

This is Windows we're talking about though.

Sure, easy attack on Windows here, but I'd think given a couple months the odds are in the virus writer's favour.

Can you safely disable BITS?

[guanxi]

I've considered disabling the BITS service before (i.e, via services.msc), especially since I usually run Windows Update manually. But I read hints that it may break other applications, including from Microsoft's documenation:

You should not set the Startup Type to Disabled. Disabling BITS may break applications, such as Windows Update, that rely on BITS to transfer files.

However, I've never found anything more specific -- does anyone know the consequences of disabling BITS?

Re:Can you safely disable BITS?

[figleaf]

Why don't you also go ahead and disable HTTP also. Surely malware can also use HTTP.

Re:Can you safely disable BITS?

[guanxi]

To partly answer my own question, here's a pretty good analysis of BITS:

        http://www.firewallleaktester.com/news.htm#57

Re:Can you safely disable BITS?

[dknj]

no let me stop this stupid flow of ideas. you can stop or disable BITS, but it won't do you any good. the malware must be installed first to take advantage of it, so unless you actually remote BITS from your system (not likely) malware can just contact the service control manager and reenable the bits service (run sc from the command prompt or read up on WMI if you want to learn more about controlling services from scripts/batch files).

of course the malware could also just use your favorite networking stack and contact its remote server via HTTP anyway.. so this article is a whole lot of hoopla about nothing. can we move on now?

Re:Can you safely disable BITS?

[guanxi]

I'm considering disabling BITS not because of this attack -- as I said, I considered it before. BITS is an obvious vector for attacks. The benefits of disabling it are probably not large, but it's cheap and easy to implement -- the question is, what other costs are there, in terms of compatibility, etc.

No matter how you secure your computer, there are ways around it. All you can do is make it more difficult for the attacker.

Re:Can you safely disable BITS?

[jaavaaguru]

There's a simple wizard that helps you get rid of BITS. You can download it here

Re:Can you safely disable BITS?

[TractorBarry]

I tried disabling the BITS on my Windows machines.

Trouble is now all my bytes are stuck and I can't change their values.

yeah, yeah very lame I know :)

Re:Can you safely disable BITS?

[dknj]

what? are you missing the big picture? you can re-enable any service at any time, regardless of what the user set the service to.

for instance, you need MS DTC enabled to install SP2 on windows 2003. at my workplace we disable MS DTC becuase its not a needed service. our group policy is of a fucked up design (i'm working on it) and we have some 150+ servers that we need to enable MS DTC before we can install SP2. I'm not going to edit 80 group policies to enable this service, so i used WMI to enable the service across our environment. guess what, your computer has WMI too. okay, disable the WMI service. but wait, oh damn that won't work either. looks like microsoft provided both an API and a command line tool to interface with the service control manager. looks like that crack for that application you downloaded realized this as well.

and of course lets not forget all bits is, is an easy way for an app to say "download this piece of software for me, don't disrupt any other network traffic" without bloating its code. but considering what the demo scene can pack into 4k, don't be surprised if your favorite keygen included 2k of code to fetch stage 2 of its rootkit via FTP, HTTP, or, my favorite, UMTP (united malware transfer protocol).

do you get the idea yet?

Nice work! A program to infect an already ...

[figleaf]

...infected machine!! Man who knew that would be even possible?

and yet...

[dAzED1]

and yet, people still believe this crap - that MS is only hit far more often per install because it's a more tempting target due to numbers alone, not lack of security as part of the design process.

Eh. What can ya do.

Re:and yet...

[drinkypoo]

How is this Microsoft's fault? It's a trojan. The system has already been compromised. Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit! Debian must be insecure!!@#!#!#!

Re:and yet...

[ajs318]

Yeah, cos Apache HTTPD powers 2/3 of all web servers (and about half the rest are based on bastardised versions of the Apache codebase or its NCSA predecessor), and gets 2/3 of all web server exploits directed at it.

Oh, wait, that's bollocks. And so is your argument.

Re:and yet...

[dAzED1]

maybe you're not aware of this, so I'll let you know. apache isn't an operating system - it's a web server. In fact, it's a web server that will run on almost all the operating systems out there. Linux, Solaris, Windows, OS/X, HPUX...on and on.

Just letting you know to be helpful.

Re:and yet...

[dAzED1]

I challenge you to write something that will install itself as part of my average web surfing, daily computer use experience, and will then change how other layers operate.

Unless you're saying you use your debian box logged in as root to surf and do work?

Re:and yet...

[drinkypoo]

I challenge you to write something that will install itself as part of my average web surfing, daily computer use experience, and will then change how other layers operate.

There have been numerous examples of local privilege escalation exploits on OpenBSD, let alone Debian.

Could I do it? Probably not. I'm not much of a programmer. Could people who regularly write malware do it? Probably.

Unless you're saying you use your debian box logged in as root to surf and do work?

No. I do it with Windows of course (run as an Administrator) but I no longer have an actual Windows system, only virtual machines. (There is one windows system on my desk at work, but it is only for doing digital signage.)

Re:and yet...

[Chris+Burke]

Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit!

That's the thing the article doesn't make clear: Does this exploit require that the trojan be executed with admin privileges, or can it get the necessary privileges from a standard user account?

If the former, then clearly this isn't MS' fault at all. Got Root? Got Pwned. If the latter, then it's a local privilege escalation bug that is MS' fault. It may still require the user to download and execute a trojan, which would mean they are already compromised, but the hypothetical escalation bug would increase the damage the trojan could do. Or if there is a remote exploit that allows execution of arbitrary code in user-space, then it could then use the local exploit to get root, and now it's a real worm.

That's why even the most minor of security issues needs to be fixed. Because a bug in your code that is difficult to exploit, combined with a bug in software that you didn't write and would never know was even going to be on the system, and the result could be a simple way to own your machine.

Anyway, all I'm saying is that if this does take advantage of a local root exploit, then MS can spin all they want but they better fix it pronto, simply because you can probably assume that your average windows user will at some point download and execute a trojan. If it ain't, well, not much they can do, other than remind people not to run as admin?

Re:and yet...

[ajs318]

Apache isn't even a web server, it's a software company. Apache HTTPD is a web server (it stands for HTTP Daemon).

Just letting you know to be helpful.

The question left unanswered is: Is it generally easier or harder to make an exploit at the application level, as compared to the OS level? And, once we take this into account, how does the Apache HTTPD application monoculture then compare with the Windows OS monoculture?

Re:and yet...

[dAzED1]

I'm waiting for your point here. I state that the OSs have differences in how they view security, and that, more than number of installs, is why it is hacked. You then make some odd, unreleated statement about apache httpd, and say my claim is wrong. Now you're splitting hairs about apache, when ya know...I've been around long enough such that I still call the damn thing apache. Sorry. I call Tomcat Tomcat as well, not the Apache Tomcat partial java servelet engine, or whatever.

So I suppose my question ends up being...were you going to get around to making a point? And if so, what exactly was that point you were gona make? Are you trying to suggest that Windows is designed with the same amount of security in mind that Linux is? Because if you are, you're wrong.

Usability has always been at odds with security. Doesn't have to be, but for $X amount of money spent coding, the balance is important. Windows went with the usability option. Does that make them inferior? No, just means the approach was different. Happens that people value usability FAAAR more highly than they value security. Security is starting to come on the average-joe's radar now, but that's a very recent development.

I just find the argument that Windows is hacked far far more often per-install than Linux because it is a more tempting target to be absurd, and not based in any sort of logic at all.

Re:and yet...

[ajs318]

My point is that saying "the number of attacks depends upon the popularity of the software" is a cop-out. Apache HTTPD server is a more popular web server than IIS, yet it doesn't receive the proportion of web server attack attempts that you would expect if -- as the Windows fanboys maintain -- it was popularity alone that determined frequency of attack attempts.

However, the popularity of Windows as an operating system might actually not be entirely unrelated to its lax security (it's easy to set up if you don't give a fig who can get into it). If that is so, then Microsoft have a problem on their hands: anything they do to try to make Windows more secure will at the same time rob it of one of its selling points. Meanwhile, the Linux distros are catching up in the usability stakes and could be in a position to poach customers.

Microsoft's Makes a Buck, However

[VE3OGG]

Dear Sirs,

Your Trojan, named 1337-5ki11z, violates 387 Microsoft patents, included patent 666-1345-876-666 ("screwing the user over"). We do not wish to actually pursue legal action, but would rather license our Windows Update APIs to you for the paltry sum of 100.00 (per infection).

Thank You

Kindly,

The MS Legal Eagles

Story is innacurate

[FooHentai]

Its not really Windows Update that's being used in this exploit, its the Background Intelligent Transfer Service which, in a nutshell, is a service that downdaloads data to your PC while minimising disruption to other network activity i.e. surfing the net, gaming, or downloading other files. Its a built-in feature of Windows XP but has only been implemented once or twice.

Windows update makes use of the BITS service. Malware can make use of the BITS service. Its not logical to then say that Malware is exploiting Windows update. Any more than an attack that utilised Java would be exploiting Azureus (A java application).

The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net. This same exploit is true of the JVM too.

A solution to the problem might be to instance such services. But by doing that it sort of renders them not services anymore.

So eh, mark my stats +1 pedantry, but to perpetuate this as a Windows Update exploit isn't accurate.

Re:Story is innacurate

[ajs318]

The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net.

And this is what's wrong with Windows' security model.

Firewalls shouldn't be caring about which programs want access to the outside world. Firewalls should be caring about which bit of the outside world programs are trying to access -- and which bits of the outside world are trying to access the computer the firewall is protecting. And the decision of what to allow through the firewall or not should be taken by, or at least on the say-so of, a human user with administrative privileges.

All this basically stems from Microsoft's arrogant assumption that they know what is best for users.

Re:Story is innacurate

[element-o.p.]

...a service that downdaloads data to your PC...

Aw, man...now I've got Windows envy. I wish my Linux PC could downdaload data! (sorry, I couldn't resist!) :)

Re:Story is innacurate

Do you whitelist all of your outbound connections in your firewall? That's gotta be a pain in the ass, or you don't really browse anywhere.

Re:Story is innacurate

As far as I'm concerned BITS is part of Windows Update. It's only on my machine for Windows Update. Do you honestly use it for anything else?

Re:Story is innacurate

[pe1chl]

Firewalls shouldn't be caring about which programs want access to the outside world. Firewalls should be caring about which bit of the outside world programs are trying to access

Apparently you don't understand what BITS is actually downloading. It (usually) downloads from plain HTTP servers. So when you would want to block it in an outgoing firewall, you would need to block connections to port 80.

Bits is like like wget in a server shell. You submit requests to it and it wgets the files in the background. It only writes to places the requester is allowed to write to. And it has some clever feature to only download when the connection is almost idle, so it won't interfere with normal usage.

Quite useful. Linux should have something like this. Let's call it wgetd.

Re:Story is innacurate

[bill_mcgonigle]

As far as I'm concerned BITS is part of Windows Update. It's only on my machine for Windows Update. Do you honestly use it for anything else?

As far as I'm concerned Windows is part of World of Warcraft. It's only on my machine for World of Warcraft. Do you honestly use it for anything else?

(not true, just illustrating the point)

Nothing to see here, move along.

[TheRealAnonymousCowa]

Actually, once a system is infected with a Trojan, it can open up avenues for other attacks. This can happen to any machine, regardless of whether it's running Windows or Linux or OSX.

I have it disabled on all my Windows machines...

[mario_grgic]

and everything except automatic updates works (which is what I want). However, to manually update windows, you still must enable automatic updates, since updater ActiveX control checks is the service is set to run automatically and actually running.

Automatic Updates service depends on BITS, so you have to start both and change their startup type to Automatic, at least temporarily until you finish with the manual updates.

I have (an MKS) Korn Shell script that does this before I do manual updates and sets them back to disabled after the update.

I've always been curious...

[Belial6]

I've always been curious (not enough to do the research I guess) what kind of security the windows update does to prevent someone from using control of DNS and or routers to get windows update to install malware. Given that people often use DNS and routers that the cannot really trust, is there something that prevents a bad guy from just redirecting all traffic that is attempting to hit MS's update site to their their own server that is set up to look like it is MS's update site? Given how many people have their laptops set up to do automatic updates, I would think that it would be easy to just take a loptop to a coffee shop, and watch as other patrons 'update' from your access point.

Re:I've always been curious...

[SEMW]

Wouldn't you either need to either hack into their ISP's DNS servers and change Windowsupdate.com to redirect to your site, or else get into the target PC and change their default DNS server from their ISP to a box you've set up? The former would be nigh-on impossible, and if you've done the latter you've already compromised the PC; so why bother fiddling about with Windowsupdate?

Re:I've always been curious...

SSL

Windows Virus Updates!!

[InfiniteSingularity]

Are you still infected with those old fashioned beagle or Zotob viruses? Now, with our new Windows Virus Updates, you no longer have to worry about being the loser with old variants on your machine. You will get the newest, most zombie-rific viruses the wild web has to offer. All for, you guessed it, FREE. Windows will automatically update your viruses to the most virulent forms of code out there. Be sure and upgrade TODAY!!

Re:In Bill Gates' America....

[jollyreaper]

Crap, I forgot to say "I know I'll get modded down for this" first.

but does it support Vista?

[Gary+W.+Longsine]

Spammers and botmasters the world over want to know.

Re:but does it support Vista?

[jackharrer]

But does it run on Linux???

Re:but does it support Vista?

[flight_master]

Background Intelligent Transfer Service - why does it seem so un-ironic that it isn't that "Intelligent"?

I bet it runs under Linux, if you are running Xen or VmWare with Windows on it!

Had Enough

[Nom+du+Keyboard]

I've had more than enough with malware writers. They are absolutely useless to polite society. 10 years in jail and a life-time ban against ever touching another computer on the first conviction.

Re:Had Enough

[Datamonstar]

How about not? I definitely plan on writing malware once I get more involved with network security. I shouldn't have to go to jail just because I wrote some malicious code. Releasing it into the wild on the other hand....

Completely misleading

[cooldev]

BITS stands for "Background Intelligent Transfer Service" and is simply a way to download files using idle bandwith. It's fully documented in MSDN, see http://msdn2.microsoft.com/en-us/library/aa362708. aspx, and among many things it's used by some browser downloading plugins (similar to DownloadThemAll) that enhance downloading of large files. It's not just used by Windows Update.

Do we need additional articles to state that a malicious program on a compromised machine could use FTP to download additional files? Or HTTP? Or BitTorrent? Or roll their own protocol?

Based on the article, it sounds like the only concern is that because BITS is a service (daemon in the Unix world), it means that firewalls or malware detection tools that attempt to block outgoing requests (which most don't; they block listening ports) may not currently detect this because it's not the malicious .EXE itself that's opening a port; it calls into BITS, which opens the port. However, the app still has to use a public API to instantiate the BITS object, so there's no reason such a program couldn't hook that as well.

Unfortunately the article summary (and headline of the BBC article!) completely misrepresents the issue and blows it way out of proportion. They are not Hijacking Windows Update. They're using a generic well-documented downloading service that also happens to be used by Windows Update simply because it enables WU to download updates without gobbling up all your bandwidth.

Re:Completely misleading

[Tridus]

Its a shame that the comment rating system stops at +5, the parent should be at +10 and tacked on to the summary itself. Maybe that would stop some of the nonsense that is being thrown around in here from people who don't have a clue what they're talking about.

Windows Firewall model suxors

[JohnQPublic]

The problem isn't BITS. The problem is the idea that BITS is "trusted". Should you trust every FTP server your computer connects to? Every HTTP server? Of course not. Then why BITS?

The Windows firewall model of "trust this program" is inherently incorrect, and that's the real source of this issue. I really hate to say it, but Internet Explorer gets this right - programs aren't trusted, places you can connect to are trusted.

Re:Windows Firewall model suxors

[pandrijeczko]

The problem isn't BITS. The problem is the idea that BITS is "trusted".

Good job they never originally called BITS the "Trusted Intelligent Transfer Service" then!

No worries

[Ilgaz]

MSFT will sue the spyware authors for breaching Microsoft patented technology.

Snort

[anss123]

I'm sitting here on Windows chuckling over so called geeks that don't understand the issue at hand. If a computer is compromised, then the software firewall can be disabled. The BITS stream that comes out of the comp can be emulated by software on Linux and Mac OS, to the same effect as Windows.

The "news" here is that there is software capable of doing this, not that it can't be done. True, BITS is a protocol created to work around firewalls, but it is hardly the only protocol engineered to do that.

Oh, and Mac's suck because they crash all the time. *ducks*

Re:Snort

[SadGeekHermit]

UUUUUUUHHHHH, not so fast there, professor.

I understand the issue at hand perfectly. Microsoft uses the BITS protocol to manage Windows Update downloads and work around firewalls. A trojan that gets ahold of your windows system can use the BITS system to implement updates and installs of malware, thus making malware maintenance as convenient as Windows Update itself.

So, not only is your Windows box easy to hose because it's got so many critical vulnerabilities and Microsoft (not being open source) is the only source for patches and updates, but once you're hosed, your friendly neighborhood hacker can use WINDOWS UPDATE ITSELF to maintain his "software"!

Again, I say: if you were using Linux or OS/X you could enjoy all this with the same detached amusement that I do.

As you were... :)

Re:Snort

[Tridus]

No, it can't "use WINDOWS UPDATE ITSELF." For crying out loud, RTFA.

BITS is a service that can be told to download stuff. Windows Update uses it to download stuff. BITS can also be told to download other stuff. In this case, an already infected system uses it to download more infections, rather then say creating a HTTP connection itself.

Re:Snort

[SadGeekHermit]

Oh, pardon me ALL OVER THE PLACE (said in my best Robert Mitchum impersonation).

BITS is a piece of Windows Update (it's the system Microsoft built to let Windows Update get past your firewall).

Therefore...

using BITS is like using Windows Update. Or at least part of it. And it makes life easier for spyware authors.

Nyah, nyah! Pbbbbbbbbbt!

Disable BITS?

[markov_chain]

How will your computer work?

More Symantec Baloney

[ThinkFr33ly]

Singling out "BITS" is stupid. The exact same thing can be done with virtually any service or application that is allowed to pass through the local outgoing software firewall. As long as the software has some kind of programmatic interface, it can easily be used to bypass these firewalls.

I wrote a proof of concept application that bypassed all of the major outgoing software firewalls (BlackIce, Zonealarm, McAfee, Symantec) by utilizing the COM interfaces for Internet Explorer and funneling all my requests through it. This is almost impossible to detect. Even better, I wrote this app in freakin' VB!

The real problem is that local outgoing software firewalls simply don't work in an environment where all the users are admin. Once the machine is compromised, it's compromised. No number of software defenses are going to help. This includes, by the way, Symantec's expensive and incredibly crappy products. These products are there to make users feel secure, not actually make them secure.

Remember WordMasters from grade school? You know, the analogy test they used to give every once in a while. Here is an analogy for you:

Symantec is to computer security as the Bush Administration is to homeland security.

They do their best to scare the crap out of people in an attempt to get them to buy their software... or vote for their party. Don't trust either of them and you'll be better off.

Yes, you can.

[DrYak]

if you have malware installed on your computer with administrator privileges [...] You can't trust your OS installation at all.

No, I don't agree.
No matter what, buggy drivers, compromised machine, spilled coffee, you can always count on your trustworthy old friend, mister Blue-Screen©® !

"Flamebait"?

[SEMW]

I don't know why the parent has been modded flamebait; s/he makes an excellent point; especially about Symantec.

Mcaffee do it to -- have a look at http://www.avertlabs.com/research/blog/?p=218#comm ent-32657, an explot that gives an attacker "full access to the system". A little lower down, it is noted that the attack "requires... administrator [privileges]", but goes on to say that "a determined attacker can always find workarounds". WTF??? It's an attack the purpose of which is to malware running with admin privileges, that... requires admin privileges. Right. Sure. (He's torn apart in the comments).

Re:"Flamebait"?

[ThinkFr33ly]

It was modded as flamebait because of my Bush Administration comment, I'm sure.

Really, it was flamebait I guess... but my other points are valid regardless of my unnecessary, but imho funny (and accurate), political analogy.

Re:"Flamebait"?

Another common factor is that they do their best to keep alive the problem they tell you they are trying to combat.

What would be the position of a virusscanner or firewall manufacturer without a good supply of virusses and kiddie-scripts?
Similar to a president and army of a country that is friends with everybody.

Rollseyes

[anss123]

Mac OS X open source? Snorts again. Sure, the kernel is open source but only Apple maintains it anyway.

Being 'the computer guy' I've been pulled along for free tech support more often than I would like, and I know that Linux, Windows and even the glorious Mac OS X all have their issues. One thing I can say with absolute certainty is that if I owned, say, a PowerMac and a real deal Windows vulnerability cropped up I would _not_ feel smug about it.

What is humorous is people like you, feeling good because you use an alternate OS. You're treating operation systems like religions. Not that having an OS as a religion is any less stupid than being religious. *ducks*

It should be possible to delete your own posts

[anss123]

It should be possible to delete your own posts, or at least moderate them down. I apologize for losing my cool.

I just wanted to say it amuses me when people get emotional over operation systems. This is true for both Windows and non-windows users alike; I recall several Winlots being on cloud 9 when that Mac scripting error deleted a bunch of files.

I'm probably also guilty of being amused by others misery at one time or another.

Re:It should be possible to delete your own posts

[SadGeekHermit]

I don't get emotional over operating systems. Except for one specific situation. It's a funny story, so what the hell, I'll tell it to you.

My mother used to use a Compaq with Windows installed. Despite her running Norton Internet Security, it would periodically get utterly FUBAR by viruses, trojans, crapware... I found myself reinstalling the whole damn box a few times a month. I couldn't go NEAR their house without having to spend a few hours fixing their computer.

Finally I got fed up and heckled her into buying an eMac with OS/X. That machine has been chugging along for YEARS without a single problem. It's so easy to use she's doing her own software updates now, and she's even learned how to set up email filters to distribute friends, family, colleagues, etc. Years, without a single virus, problem, anything. The only thing I've had to do for her recently is show her how to reload the toner in a laser printer; she wasn't used to 'em, she used to use inkjets.

Just thinking about it makes me weep with joy! My weekends are so much more fun now! Quieter, certainly.

So, yeah, I think I can afford to smirk with pleasure when Microsoft types have yet another crappy day. If they don't like it, let 'em switch! It isn't religion, it's KNOWING that your O/S is the better of the two. From empirical observation!

Nope.

[Belial6]

No, all you would need to do is set up an open wifi access point. You would in essence be the ISP, and you would control the DNS for any system that was getting their DNS server via DHCP. This wouldn't be a way to hack into someones home PC. It would be a way to compromise a system that attached to your open wifi.

Getting users to go through your router and use your DNS isn't the hard part. The only question would be is, does windows update do any kind of authentication that would prevent me impersonating Microsoft's site.

Re:Nope.

[SEMW]

Ah; I see, sorry.

The only question would be is, does windows update do any kind of authentication that would prevent me impersonating Microsoft's site. This suggests yes.

Re:Nope.

[Belial6]

Hmmm... Thanks for the link. It does appear that windows update does NOT authenticate. Per the link provided:

"This issue occurs because the Windows Update client authenticates with null credentials to the proxy server. If the proxy server does not allow null client requests, the request may be denied."

The way I read that was that the error occurred because the proxy would not allow a null value for the credentials, and that windows update does in fact use null as the value for it's credentials. From what I see, it is a huge security hole, but I have a hard time believing that I would have been the only one to think of this after all of these years. This leads me to think that there is something I am missing. Maybe I will set up a server and redirect the windows update site to it, and see if I can install some other program through it.

Same acronym, too..

[A_Non_Moose]

BITS =
Background Infection Transfer Service,
Bad Idea Turned Sideways (ouch),
Bad Idea Taken Seriously,
Bent-over Intrusion Thrusting Skillfully (yeeha!/ouch!).
Better Infections Than Sony.

So with animated characters (dog, clippy) I suppose you can say that Microsoft included all the
"BITS and Bobs" possible in Windows.

Norton Internet Security

[anss123]

My God, that's the root of all evil.

Anyway, while anecdotes are fun, they don't prove much of anything. I got an anecdote myself, I've only been troubled by malware twice. One when my mom installed it just when it became popular, and twice when I deliberately installed it myself to see what the fuzz was about.

What conclusions can I draw from this? Nothing.

As for Norton Internet Security, that program is undiluted evil (From my anecdotal experience). You can't just disable it; it has to be uninstalled... preferable with holy water.

These days most computer problems (in my anecdotal experience) resolve around crappy access points that's so cheep the manufacturer can't afford a website, but at the same time can't be replaced because it's supplied by the telco. Crud. That and small children ripping out cables.

It's still surprises me when people who can fix cars and leads troops can't plug in a USB cable. Sigh. Sincerely doubt going Linux/OS X will help with those issues.

As for feeling smug. If using Mac/Linux/whatever make you feel smug, then perhaps you're on to something. Whatever works I say. I don't feel smug about using Vista or XP, though Win 3.0 give me a nostalgia kick Oh yeah!

Re:Norton Internet Security

[SadGeekHermit]

Again, it's not about feeling smug, it's about not having to spend all your time futzing around with your Windows box trying to prevent it from getting stuffed up with spyware and viruses, rebuilding it after it DOES get stuffed up, and constantly trying to figure out what bizarre thing the next service pack is going to do to you.

By running Linux or OS/X, you can spend all your time actually doing something useful. Write a book, write some code, browse slashdot. Whatever.

Windows eats up too much time to be useful.

BITs sounds almost like snarf

[josepha48]

BITS sounds almost like snarf, where it resumes its download. I think I remember using snarf before windows had a windows update.

Could this be legitimately useful?

[SanityInAnarchy]

One of my biggest complaints about Windows and OS X is the lack of decent universal package management. Basically, Apple's Software Update is great, for Apple software only. Microsoft Update is great, for MS software only, assuming your version of Office is recent enough. If you want anything else to auto-update, you have to provide your own auto-update mechanism (like Java/Firefox/etc does), and the user may or may not pay attention, even if they follow Microsoft Updates religiously.

And it's a hassle either way, because many of them will want you to reboot for no good reason, and may or may not ask nicely before doing so.

That's the ones that auto-update at all. There are quite a few that don't -- for instance, the nvidia drivers. Here, you have to go manually check each app (or driver) for an update.

Compare that to Ubuntu/Kubuntu: One system-tray icon. Click it and you'll download/install updates for every single app installed on your system. Afterwards, it will automatically restart the services that it figures it can restart without asking you, and then tell you what else you should do -- if there was a kernel update, it will suggest a reboot, for example. If it was something like Firefox, and it sees you have Firefox open, it'll suggest you restart Firefox whenever you're ready. If it was a shared library (like openssl, say), it will often suggest some services that use that library (like openssh, openvpn, etc).

If you can wait long enough, it will even cover things like nvidia drivers.

So, the big question here: Is Microsoft likely to close this "security hole"? Or is it a potential opportunity for legitimate software to "hijack" Microsoft Update, and use it for non-microsoft products?

Nonsense

[anss123]

Now you're FUDing. IME the Macs crash a lot (especially when doing large jobs) that's a lot of lost time! I've seen an entire Linux lab go down almost simultaneously, that's lost time (granted this must have been a bug, as the problem was fixed by the next version).

In other words, Mac OS X/Linux/BeOS/etc, are not immune to taking up your time. Are they better than Windows? I doubt it. My XP installs can go for years without me tinkering with them, hell I had a four year old Win95 install going strong before the comp crashed to the floor.

Windows has its problems but simply ain't that bad.

Cheers

Re:Nonsense

[SadGeekHermit]

I'm not FUDing, and I disagree strongly with your assessment. I offer the following three statements in support of my position:

1. I would not use Mac OS/X as a server; I believe it's much more suited to providing a workstation environment. In that capacity, I've used it for years without a single crash (mostly for Java programming, writing in OpenOffice, playing Alien Vs. Predator 2, web browsing, and email).

2. At home, I use Linux as a workstation (specifically, I run Slackware). No crashes. No down time. Just pleasant, efficient computing without any difficulties.

3. Even the STOCK MARKET is now running Linux. Obviously it's got the stones. Note that they did NOT pick Windows. As for your "linux lab going down" one catastrophe "fixed by the next version" does not a strong argument make. For all I know, you misconfigured the environment and caused the crash yourself! I haven't heard anyone else reporting such an event... Yeah, must have been you. Sorry, dude. Not buying it.

Again, this isn't FUD, it's common sense.

Re:Nonsense

[anss123]

I have never configured a Linux lab, nor do I consider myself competent enough to do so. I see no reason not to run Max OS X as a server (Sure it might not have the performance and securety levels of Linux/BSP, but that's not always of any significans). I don't know or care what the stock market, bank, airline, runs as long as it's stable and secure.

But at home I run Windows 98 and Vista, right now, and their stable and pleasant to use. I've tried Linux and found it to be a nice OS.

You're FUDing because you claim that Windows users have to spend a lot of time configuring/fixing their environment. I don't know what you do with your operation systems, but the last time I installed Windows I only had to change the color scheme to pink (since she wanted it), and I've not touched that computer since.

The computer I'm running right now is pretty much default Vista. I've changed the power button to "turn off", changed the wallpaper, and installed my prefered applications, but that's about it.

Re:Nonsense

[SadGeekHermit]

Listen, I'm not picking on you here, and please don't take this comment as any sort of hostile taunt, ok?

If you're still running Windows 98, and it's connected to a network, TRUST ME, you've got malware running on it. You may not be able to see it, and you may not know about it, but you are almost certainly the proud owner of a 'bot. Maybe a whole community of them.

Just because it LOOKS "stable and pleasant" doesn't mean it IS. A well-written piece of malware is invisible to the owner of the machine. You wouldn't even know it was there. The fact that you don't think you have to do any work on your '98 box is a dead giveaway; you're probably wide open. And that poor woman probably has at least a keylogger and a spambot running on it. Keeping her machine on Windows 98 does her a great disservice and you should IMMEDIATELY replace it. If you're dead-set on using Windows, at LEAST get her XP Home Edition!

As far as your Vista box goes, well, it might be locked down enough to be ok. I don't know since nobody I know is even THINKING of using Vista. Our general opinion of it is that it's like a very pretty, tricked-out Hummer which has a small 4 cylinder motor in it and four thousand pounds of lead plates bolted to the chassis. Looks great, moves reeeeeeeeeeeeeeeeeal slooooooooooooooooow.

There Is No Security News Here

[ricksmith]

I'm no fan of Microsoft, but let's get real folks.

If a trojan has penetrated your system with administrative privileges, then it doesn't really matter what protocol gets used to piggyback additional malware into the penetrated system. If the malware has admin privileges, it can bypass any download security and filtering protocol you invent. Period.

It's like putting more and more money into a safe after the thieves have tunneled through and built a secret back door. The vault door locks just fine, but the money disappears anyway.

This is why I'm generally logged in as a user and not as an admin, even with home machines. It doesn't make you invulnerable but it reduces your risk profile a lot. It's something that Vista (finally) is trying to do right, tho' I think OS/X does a tolerable job of it already.

Um no

[anss123]

My install of 98 is connected to a network, but have no malware on it. That poor woman I talked about is using Vista, the Win98 box is my P133 laptop. WinXP runs on it, but do not support the widescreen monitor.

If you honestly believe that all Win98 boxes that are connected to the internet have malware on it, then you've fallen for FUD. Learn about firewalls, open ports and attack vectors.

Re:Um no

[SadGeekHermit]

A-HMMMMM... He said.

Yeeeeeeeaaaaaaah. Good luck with that.