Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Hijacks Windows Update

Posted by CmdrTaco on from the you-trust-me-right-right-right dept.

clickclickdrone writes "The BBC are reporting a new piece of malware is in the wild that can hijack Windows Update's functionality and bypass firewalls allowing it to install malicious code on users PCs. The new code was discovered by Frank Boldewin in an email. The attack utilizes the BITS system."

41 of 209 comments (clear)

  1. Maybe we should call it... by Cytlid · · Score: 5, Funny

    ...son of a BITS.

    --
    FLR
  2. Typical Microsoft response by Black+Parrot · · Score: 5, Funny
    From TFA:

    However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered. That makes me feel so much safer.

    --
    Sheesh, evil *and* a jerk. -- Jade
    1. Re:Typical Microsoft response by Silver+Sloth · · Score: 4, Informative

      Much as I'm no M$ fanboy they do have some justification. The 'new' aspect here is how the virus downloads additional malware, not the initial attack vector.

      However, given the time I spend helping my less technical friends clean up their PCs you do definitely have a point!

      --
      init 11 - for when you need that edge.
    2. Re:Typical Microsoft response by SparkyFlooner · · Score: 4, Funny

      ..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

    3. Re:Typical Microsoft response by gazbo · · Score: 3, Insightful
      It's even worse than you think. I've just examined some viruses in the wild, and every last one hijacks standard Windows system calls in order to read and write to the file system. Some have even found a way of hijacking the GDI to display adverts to users.

      When will Microsoft patch these vulnerabilities?!

    4. Re:Typical Microsoft response by MillionthMonkey · · Score: 4, Insightful

      No OS is immune to Trojans, especially when they are intentionally installed by clueless users. I saw this article summary and thought a worm was going to arrive today on Windows Update.

      Not that it would matter- I always choose "Custom Install" anyway because otherwise I'll end up with Windows Genuine Advantage which I think fits the definition of a Trojan.

    5. Re:Typical Microsoft response by J0nne · · Score: 2, Insightful

      However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

      Well, Microsoft's response makes a lot of sense. You could trick a user into running sudo trojan.sh on Ubuntu too. After that the user is screwed anyway, as trojan.sh could contain anything, including something that edits /etc/apt/sources.list to the attacker's repo's.

      What do you want MS to do to stop this from being possible? If the user runs a random executable as root/admin that modifies the system, he's screwed on any OS. If the executable got onto the system through a security hole, that hole should be plugged.

      I don't like MS either, but cut them some slack here...
    6. Re:Typical Microsoft response by Ravnen · · Score: 3, Interesting

      I think the issue is that this can help malware to hide itself on a machine it's already infected, by using this BITS service to silently bypass policy settings. BITS itself runs with 'SYSTEM' privileges (the closest thing to 'root' there is on Windows), but I can't tell from the article if malware run by a normal user can hijack BITS, or if it has to be run by an administrator. In the first case, I'd consider it a security vulnerability, but not in the second.

    7. Re:Typical Microsoft response by HTH+NE1 · · Score: 2, Funny

      "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future." They call it ConunDRM.
      --
      Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
    8. Re:Typical Microsoft response by Vancorps · · Score: 5, Insightful

      huh? I mean seriously, huh? What century are you in?

      Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.

      Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.

      Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.

      I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.

    9. Re:Typical Microsoft response by Tridus · · Score: 2, Insightful

      You can set up a million hoops, clueless users who want to have flashing emoticons in their email (or whatever the current scams are) will still go through them.

      There is no way to program around users that blindly say yes to every prompt. There is however a way to create users who blindly say yes to every prompt, and that is throwing a million prompts at them every time they want to update their video card driver.

      --
      -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    10. Re:Typical Microsoft response by Anonymous Coward · · Score: 3, Funny

      Would you like to hijack BITS? Cancel or Allow?

  3. Your machine has just been updated by liledevil · · Score: 5, Funny

    14 new virusses have just been installed
    please restart your machine to become a zombie

    1. Re:Your machine has just been updated by thestudio_bob · · Score: 4, Funny

      14 new virusses have just been installed
      please restart your machine to become a zombie

      Accept or Deny?


      This will never get old...

      --
      The real Sig captains the Northwestern. This one captains /.
  4. Not one the the better MS Patents... by ITMagic · · Score: 4, Funny

    Ah! One of the many Microshite's patents that didn't manage to make it into the Linux sourcecode. Perhaps Novell could implement this feature?

  5. Correct link by Random+Walk · · Score: 5, Informative

    Frank Boldewins site is http://www.reconstructer.org/, not http://www.reconstruction.org/.

  6. Makes perfect sense by Megaweapon · · Score: 3, Insightful

    With a lot of people doing auto-updates might as well target what will be the predictable weak link. I'd bet some people have their auto-update run more often then their virus scanners anways.

    --
    I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
    1. Re:Makes perfect sense by zero_offset · · Score: 4, Informative

      RTFA, the summary is incorrect. It doesn't exploit Windows Update.

      --

      Slashdot quality declines as the number of hot grits posts decreases. - Provolt's Law, Apr-09-2005

  7. Security quiz linked from TFA by AmIAnAi · · Score: 5, Funny
    Linked off TFA is a quiz checking readers' knowledge of computer security issues. I just love the first answer for question 10:

    What is a DDoS attack?

    A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux

    That's one botnet I'd happily join
    --
    Any sufficiently advanced bug is indistinguishable from a feature.
  8. Windows is safe! by Anonymous Coward · · Score: 5, Funny

    Hi,
    I have my own awesome blog whose url I certainly don't need to post here since I expect you all to know it already.

    I just talked with my friends at Microsoft and they told me that

    "Windows is safe!"

    and it seems ridiculous to care about such small issues when 9/11 was only 6 years ago. You people should really step aside and look at the things from another perspective.

    Maybe from above like the Lord does.

    I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

    Bill and Melinda think of the children. Do YOU?

    1. Re: Windows is safe! by Anonymous Coward · · Score: 2, Funny

      Well, He might be omnipotent enough to create logical fallacies and Creationists, but that doesn't mean He's powerful enough to fix Windows.

  9. A little overstated by 140Mandak262Jamuna · · Score: 3, Informative

    Yes, it makes life a little easy for the hackers, after they have compromised your system. But all users whitelist their browsers in their firewall software to make outbound connections. So in what way is it more dangerous than the virus using IE (or Firefox for that matter) to download more bad stuff into the computer? Once the machine is compromised, it can use even ftp to download stuff. Dont blame ftp or Firefox or IE. Blame the OS that allows the machine to be compromised so easily.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  10. WGA by Anonymous Coward · · Score: 3, Funny

    The good news is that it only installs the malware if you're running Genuine windows.

  11. click here by gEvil+(beta) · · Score: 3, Funny

    Is your Windows Update not infected yet? Click here to infect it!

    --
    This guy's the limit!
  12. Let me be the first to say... by SadGeekHermit · · Score: 5, Funny

    If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

    Me, I'm relaxed and enjoying a soda.

    --
    NO CARRIER
  13. Overblown by MrNonchalant · · Score: 4, Informative

    It should be pointed out that malicious code needs to already be running on the host machine to use this.

  14. Can you safely disable BITS? by guanxi · · Score: 3, Interesting
    I've considered disabling the BITS service before (i.e, via services.msc), especially since I usually run Windows Update manually. But I read hints that it may break other applications, including from Microsoft's documenation:

    You should not set the Startup Type to Disabled. Disabling BITS may break applications, such as Windows Update, that rely on BITS to transfer files.


    However, I've never found anything more specific -- does anyone know the consequences of disabling BITS?
  15. Nice work! A program to infect an already ... by figleaf · · Score: 2, Funny

    ...infected machine!! Man who knew that would be even possible?

  16. Re:Makes me wonder . . . by plover · · Score: 2, Insightful

    . . . why didn't this happen before? Did it happen before and just now somebody found out?
    Well, that's exactly the problem with undisclosed vulnerabilities. You never know if someone has used them before or not. At least publishing a vulnerability will make sure that if someone was exploiting it, they'll be out of business once it's patched.
    --
    John
  17. Microsoft's Makes a Buck, However by VE3OGG · · Score: 5, Funny

    Dear Sirs,

    Your Trojan, named 1337-5ki11z, violates 387 Microsoft patents, included patent 666-1345-876-666 ("screwing the user over"). We do not wish to actually pursue legal action, but would rather license our Windows Update APIs to you for the paltry sum of 100.00 (per infection).

    Thank You

    Kindly,

    The MS Legal Eagles

  18. Story is innacurate by FooHentai · · Score: 5, Insightful

    Its not really Windows Update that's being used in this exploit, its the Background Intelligent Transfer Service which, in a nutshell, is a service that downdaloads data to your PC while minimising disruption to other network activity i.e. surfing the net, gaming, or downloading other files. Its a built-in feature of Windows XP but has only been implemented once or twice.

    Windows update makes use of the BITS service. Malware can make use of the BITS service. Its not logical to then say that Malware is exploiting Windows update. Any more than an attack that utilised Java would be exploiting Azureus (A java application).

    The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net. This same exploit is true of the JVM too.

    A solution to the problem might be to instance such services. But by doing that it sort of renders them not services anymore.

    So eh, mark my stats +1 pedantry, but to perpetuate this as a Windows Update exploit isn't accurate.

  19. Re:and yet... by drinkypoo · · Score: 4, Insightful

    How is this Microsoft's fault? It's a trojan. The system has already been compromised. Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit! Debian must be insecure!!@#!#!#!

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  20. I've always been curious... by Belial6 · · Score: 2, Interesting

    I've always been curious (not enough to do the research I guess) what kind of security the windows update does to prevent someone from using control of DNS and or routers to get windows update to install malware. Given that people often use DNS and routers that the cannot really trust, is there something that prevents a bad guy from just redirecting all traffic that is attempting to hit MS's update site to their their own server that is set up to look like it is MS's update site? Given how many people have their laptops set up to do automatic updates, I would think that it would be easy to just take a loptop to a coffee shop, and watch as other patrons 'update' from your access point.

  21. Completely misleading by cooldev · · Score: 5, Informative

    BITS stands for "Background Intelligent Transfer Service" and is simply a way to download files using idle bandwith. It's fully documented in MSDN, see http://msdn2.microsoft.com/en-us/library/aa362708. aspx, and among many things it's used by some browser downloading plugins (similar to DownloadThemAll) that enhance downloading of large files. It's not just used by Windows Update.

    Do we need additional articles to state that a malicious program on a compromised machine could use FTP to download additional files? Or HTTP? Or BitTorrent? Or roll their own protocol?

    Based on the article, it sounds like the only concern is that because BITS is a service (daemon in the Unix world), it means that firewalls or malware detection tools that attempt to block outgoing requests (which most don't; they block listening ports) may not currently detect this because it's not the malicious .EXE itself that's opening a port; it calls into BITS, which opens the port. However, the app still has to use a public API to instantiate the BITS object, so there's no reason such a program couldn't hook that as well.

    Unfortunately the article summary (and headline of the BBC article!) completely misrepresents the issue and blows it way out of proportion. They are not Hijacking Windows Update. They're using a generic well-documented downloading service that also happens to be used by Windows Update simply because it enables WU to download updates without gobbling up all your bandwidth.

  22. Re:and yet... by ajs318 · · Score: 2, Insightful

    Yeah, cos Apache HTTPD powers 2/3 of all web servers (and about half the rest are based on bastardised versions of the Apache codebase or its NCSA predecessor), and gets 2/3 of all web server exploits directed at it.

    Oh, wait, that's bollocks. And so is your argument.

    --
    Je fume. Tu fumes. Nous fûmes!
  23. Re:but does it support Vista? by jackharrer · · Score: 5, Funny

    But does it run on Linux???

    --

    "an experienced, industrious, ambitious, and often, quite often, picturesque liar" - Mark Twain
  24. Snort by anss123 · · Score: 2, Interesting

    I'm sitting here on Windows chuckling over so called geeks that don't understand the issue at hand. If a computer is compromised, then the software firewall can be disabled. The BITS stream that comes out of the comp can be emulated by software on Linux and Mac OS, to the same effect as Windows.

    The "news" here is that there is software capable of doing this, not that it can't be done. True, BITS is a protocol created to work around firewalls, but it is hardly the only protocol engineered to do that.

    Oh, and Mac's suck because they crash all the time. *ducks*

  25. More Symantec Baloney by ThinkFr33ly · · Score: 2

    Singling out "BITS" is stupid. The exact same thing can be done with virtually any service or application that is allowed to pass through the local outgoing software firewall. As long as the software has some kind of programmatic interface, it can easily be used to bypass these firewalls.

    I wrote a proof of concept application that bypassed all of the major outgoing software firewalls (BlackIce, Zonealarm, McAfee, Symantec) by utilizing the COM interfaces for Internet Explorer and funneling all my requests through it. This is almost impossible to detect. Even better, I wrote this app in freakin' VB!

    The real problem is that local outgoing software firewalls simply don't work in an environment where all the users are admin. Once the machine is compromised, it's compromised. No number of software defenses are going to help. This includes, by the way, Symantec's expensive and incredibly crappy products. These products are there to make users feel secure, not actually make them secure.

    Remember WordMasters from grade school? You know, the analogy test they used to give every once in a while. Here is an analogy for you:

    Symantec is to computer security as the Bush Administration is to homeland security.

    They do their best to scare the crap out of people in an attempt to get them to buy their software... or vote for their party. Don't trust either of them and you'll be better off.

  26. Re:Manual updates at risk? by Copperhamster · · Score: 2, Insightful

    BITS is just yet another way of delivering software to your machine. It's supposed to allow you to download stuff like updates without hogging all your bandwidth. Works well on cable/dsl. Dial up or ISDN, not so much. There are other companies that use BITS for various other applications, for example Sony OE uses it when they are rolling out a big big patch in SW: Galaxies to roll parts of it out early, in theory while you are playing without impacting your game. Again, on Dial up or ISDN that doesn't work so well, so they let you turn it off. Imho it was only a matter of time before BITS was hijacked for this purpose. I'm not saying I saw this coming, I really hadn't thought about it, but it's just another vector for malware to get to the internet and download software to your machine. A vector that is normally 'trusted'.

    Again, the kicker is that (as I understand things) there has to already be some program (malware) on your computer to request additional malware through BITS. That malware could conceivably be a Java or ActiveX program running in your browser, or something an exploit causes to be dropped and run. BITS is not an attack vector in and of itself at this time.

    I imagine Vista would probably pop up a confirmation window about allowing something access to BITS if you were running as a low-privilage user, but I'm not sure.

  27. Yes, you can. by DrYak · · Score: 2, Insightful

    if you have malware installed on your computer with administrator privileges [...] You can't trust your OS installation at all.


    No, I don't agree.
    No matter what, buggy drivers, compromised machine, spilled coffee, you can always count on your trustworthy old friend, mister Blue-Screen©® !

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  28. It should be possible to delete your own posts by anss123 · · Score: 2

    It should be possible to delete your own posts, or at least moderate them down. I apologize for losing my cool.

    I just wanted to say it amuses me when people get emotional over operation systems. This is true for both Windows and non-windows users alike; I recall several Winlots being on cloud 9 when that Mac scripting error deleted a bunch of files.

    I'm probably also guilty of being amused by others misery at one time or another.