Malware Hijacks Windows Update

clickclickdrone writes "The BBC are reporting a new piece of malware is in the wild that can hijack Windows Update's functionality and bypass firewalls allowing it to install malicious code on users PCs. The new code was discovered by Frank Boldewin in an email. The attack utilizes the BITS system."

Maybe we should call it...

[Cytlid]

...son of a BITS.

Typical Microsoft response

[Black+Parrot]

From TFA:

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered. That makes me feel so much safer.

Re:Typical Microsoft response

[Silver+Sloth]

Much as I'm no M$ fanboy they do have some justification. The 'new' aspect here is how the virus downloads additional malware, not the initial attack vector.

However, given the time I spend helping my less technical friends clean up their PCs you do definitely have a point!

Re:Typical Microsoft response

[SparkyFlooner]

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Re:Typical Microsoft response

[MillionthMonkey]

No OS is immune to Trojans, especially when they are intentionally installed by clueless users. I saw this article summary and thought a worm was going to arrive today on Windows Update.

Not that it would matter- I always choose "Custom Install" anyway because otherwise I'll end up with Windows Genuine Advantage which I think fits the definition of a Trojan.

Re:Typical Microsoft response

[Vancorps]

huh? I mean seriously, huh? What century are you in?

Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.

Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.

Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.

I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.

Your machine has just been updated

[liledevil]

14 new virusses have just been installed
please restart your machine to become a zombie

Re:Your machine has just been updated

[thestudio_bob]

14 new virusses have just been installed
please restart your machine to become a zombie

Accept or Deny?

This will never get old...

Not one the the better MS Patents...

[ITMagic]

Ah! One of the many Microshite's patents that didn't manage to make it into the Linux sourcecode. Perhaps Novell could implement this feature?

Correct link

[Random+Walk]

Frank Boldewins site is http://www.reconstructer.org/, not http://www.reconstruction.org/.

Security quiz linked from TFA

[AmIAnAi]

Linked off TFA is a quiz checking readers' knowledge of computer security issues. I just love the first answer for question 10:

What is a DDoS attack?

A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux

That's one botnet I'd happily join

Windows is safe!

Hi,
I have my own awesome blog whose url I certainly don't need to post here since I expect you all to know it already.

I just talked with my friends at Microsoft and they told me that

"Windows is safe!"

and it seems ridiculous to care about such small issues when 9/11 was only 6 years ago. You people should really step aside and look at the things from another perspective.

Maybe from above like the Lord does.

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

Bill and Melinda think of the children. Do YOU?

Let me be the first to say...

[SadGeekHermit]

If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

Me, I'm relaxed and enjoying a soda.

Overblown

[MrNonchalant]

It should be pointed out that malicious code needs to already be running on the host machine to use this.

Microsoft's Makes a Buck, However

[VE3OGG]

Dear Sirs,

Your Trojan, named 1337-5ki11z, violates 387 Microsoft patents, included patent 666-1345-876-666 ("screwing the user over"). We do not wish to actually pursue legal action, but would rather license our Windows Update APIs to you for the paltry sum of 100.00 (per infection).

Thank You

Kindly,

The MS Legal Eagles

Story is innacurate

[FooHentai]

Its not really Windows Update that's being used in this exploit, its the Background Intelligent Transfer Service which, in a nutshell, is a service that downdaloads data to your PC while minimising disruption to other network activity i.e. surfing the net, gaming, or downloading other files. Its a built-in feature of Windows XP but has only been implemented once or twice.

Windows update makes use of the BITS service. Malware can make use of the BITS service. Its not logical to then say that Malware is exploiting Windows update. Any more than an attack that utilised Java would be exploiting Azureus (A java application).

The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net. This same exploit is true of the JVM too.

A solution to the problem might be to instance such services. But by doing that it sort of renders them not services anymore.

So eh, mark my stats +1 pedantry, but to perpetuate this as a Windows Update exploit isn't accurate.

Re:and yet...

[drinkypoo]

How is this Microsoft's fault? It's a trojan. The system has already been compromised. Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit! Debian must be insecure!!@#!#!#!

Completely misleading

[cooldev]

BITS stands for "Background Intelligent Transfer Service" and is simply a way to download files using idle bandwith. It's fully documented in MSDN, see http://msdn2.microsoft.com/en-us/library/aa362708. aspx, and among many things it's used by some browser downloading plugins (similar to DownloadThemAll) that enhance downloading of large files. It's not just used by Windows Update.

Do we need additional articles to state that a malicious program on a compromised machine could use FTP to download additional files? Or HTTP? Or BitTorrent? Or roll their own protocol?

Based on the article, it sounds like the only concern is that because BITS is a service (daemon in the Unix world), it means that firewalls or malware detection tools that attempt to block outgoing requests (which most don't; they block listening ports) may not currently detect this because it's not the malicious .EXE itself that's opening a port; it calls into BITS, which opens the port. However, the app still has to use a public API to instantiate the BITS object, so there's no reason such a program couldn't hook that as well.

Unfortunately the article summary (and headline of the BBC article!) completely misrepresents the issue and blows it way out of proportion. They are not Hijacking Windows Update. They're using a generic well-documented downloading service that also happens to be used by Windows Update simply because it enables WU to download updates without gobbling up all your bandwidth.

Re:Makes perfect sense

[zero_offset]

RTFA, the summary is incorrect. It doesn't exploit Windows Update.

Re:but does it support Vista?

[jackharrer]

But does it run on Linux???