Slashdot Mirror
Malware Hijacks Windows Update
clickclickdrone writes "The BBC are reporting a new piece of malware is in the wild that can hijack Windows Update's functionality and bypass firewalls allowing it to install malicious code on users PCs. The new code was discovered by Frank Boldewin in an email. The attack utilizes the BITS system."
With a lot of people doing auto-updates might as well target what will be the predictable weak link. I'd bet some people have their auto-update run more often then their virus scanners anways.
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
When will Microsoft patch these vulnerabilities?!
No OS is immune to Trojans, especially when they are intentionally installed by clueless users. I saw this article summary and thought a worm was going to arrive today on Windows Update.
Not that it would matter- I always choose "Custom Install" anyway because otherwise I'll end up with Windows Genuine Advantage which I think fits the definition of a Trojan.
John
Its not really Windows Update that's being used in this exploit, its the Background Intelligent Transfer Service which, in a nutshell, is a service that downdaloads data to your PC while minimising disruption to other network activity i.e. surfing the net, gaming, or downloading other files. Its a built-in feature of Windows XP but has only been implemented once or twice.
Windows update makes use of the BITS service. Malware can make use of the BITS service. Its not logical to then say that Malware is exploiting Windows update. Any more than an attack that utilised Java would be exploiting Azureus (A java application).
The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net. This same exploit is true of the JVM too.
A solution to the problem might be to instance such services. But by doing that it sort of renders them not services anymore.
So eh, mark my stats +1 pedantry, but to perpetuate this as a Windows Update exploit isn't accurate.
How is this Microsoft's fault? It's a trojan. The system has already been compromised. Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit! Debian must be insecure!!@#!#!#!
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Well, Microsoft's response makes a lot of sense. You could trick a user into running sudo trojan.sh on Ubuntu too. After that the user is screwed anyway, as trojan.sh could contain anything, including something that edits
What do you want MS to do to stop this from being possible? If the user runs a random executable as root/admin that modifies the system, he's screwed on any OS. If the executable got onto the system through a security hole, that hole should be plugged.
I don't like MS either, but cut them some slack here...
Yeah, cos Apache HTTPD powers 2/3 of all web servers (and about half the rest are based on bastardised versions of the Apache codebase or its NCSA predecessor), and gets 2/3 of all web server exploits directed at it.
Oh, wait, that's bollocks. And so is your argument.
Je fume. Tu fumes. Nous fûmes!
huh? I mean seriously, huh? What century are you in?
Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.
Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.
Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.
I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.
BITS is just yet another way of delivering software to your machine. It's supposed to allow you to download stuff like updates without hogging all your bandwidth. Works well on cable/dsl. Dial up or ISDN, not so much. There are other companies that use BITS for various other applications, for example Sony OE uses it when they are rolling out a big big patch in SW: Galaxies to roll parts of it out early, in theory while you are playing without impacting your game. Again, on Dial up or ISDN that doesn't work so well, so they let you turn it off. Imho it was only a matter of time before BITS was hijacked for this purpose. I'm not saying I saw this coming, I really hadn't thought about it, but it's just another vector for malware to get to the internet and download software to your machine. A vector that is normally 'trusted'.
Again, the kicker is that (as I understand things) there has to already be some program (malware) on your computer to request additional malware through BITS. That malware could conceivably be a Java or ActiveX program running in your browser, or something an exploit causes to be dropped and run. BITS is not an attack vector in and of itself at this time.
I imagine Vista would probably pop up a confirmation window about allowing something access to BITS if you were running as a low-privilage user, but I'm not sure.
No, I don't agree.
No matter what, buggy drivers, compromised machine, spilled coffee, you can always count on your trustworthy old friend, mister Blue-Screen©® !
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
You can set up a million hoops, clueless users who want to have flashing emoticons in their email (or whatever the current scams are) will still go through them.
There is no way to program around users that blindly say yes to every prompt. There is however a way to create users who blindly say yes to every prompt, and that is throwing a million prompts at them every time they want to update their video card driver.
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates