Slashdot Mirror

← Back to Stories (view on slashdot.org)

Manipulating Microsoft WSUS To Attack Enterprises

Posted by Soulskill on from the sweet-wsus dept.

msm1267 writes: Microsoft's enterprise-grade Windows Server Update Services (WSUS), used to download and distribute security and driver updates, poses a significant weak spot if not configured properly. Researchers Paul Stone and Alex Chapman during last week's Black Hat conference presented research (PDF) on the the WSUS attack surface and discovered that when a WSUS server contacts Microsoft for driver updates, it does so using XML SOAP web services, and those checks are not made over SSL.

While updates are signed by Microsoft and updates must be verified by Microsoft, Stone and Chapman discovered that an attacker already in a man-in-the-middle position on a corporate network, for example, could, with some work, tamper with the unencrypted communication and inject a malicious homegrown update.

60 comments

  1. More proof... by TWX · · Score: 2, Interesting

    ...that features will trump security every time.

    I think that it's getting to be time to regulate software companies, especially for-profit companies. Their products are defective and they should be forced to correct those defects. And by correct, I don't mean sell you the newer version of their product. I mean doing real, thorough security analysis before shipping, and supporting previous versions for a long time.

    Microsoft actually isn't as bad as they used to be but they still have too many post-ship bugs. I don't care how big the project is, there are still too many bugs. Google is who I'm now starting to wonder about, with all of these unpatchable cell phones because they don't want to support Android 2.3 or 4.1 even though the devices with these versions can't run anything newer.

    And then there are the embedded systems, like cars...

    --
    Do not look into laser with remaining eye.
    1. Re:More proof... by cdrudge · · Score: 3, Informative

      ...that features will trump security every time.

      Is it any different then say apt-get using unsecured http or ftp connections?

      Their products are defective and they should be forced to correct those defects. And by correct, I don't mean sell you the newer version of their product. I mean doing real, thorough security analysis before shipping, and supporting previous versions for a long time.

      Then you'd never get your product and/or it would be so ridiculously expensive that you couldn't afford it. EVERY major piece of software has bugs. It's a fact of life. Even the Space Shuttle where billions of dollars and decades of time were spent perfecting things still had a few bugs over it's life.

      And how long is "a long time"? Windows 7 will be supported for 11 years, until 2020. XP was released in 2001 and just ended support last year after it was supported for 13 years. The Linux 2.4 branch was released in 2001 and was maintained until 2011. Where's the outrage that it's not still being maintained and supported?

      Google is who I'm now starting to wonder about, with all of these unpatchable cell phones because they don't want to support Android 2.3 or 4.1 even though the devices with these versions can't run anything newer.

      Don't blame Google on that. Google continuously updates their software releasing fixes. It's the manufacturers and carriers that refuse to support/update them. It would be like yelling at Linus et al for a kernel bug that Debian or Redhat drags their feet to incorporate into their distributions.

    2. Re:More proof... by 0123456 · · Score: 2

      Is it any different then say apt-get using unsecured http or ftp connections?

      Yes. Apt doesn't run executables, it extracts .deb files that are signed by the distro key. The worst you could do would be to give the machine a different .deb file to the one it requested, which is potentially problematic (e.g. send an old version that has known security holes), but nowhere near as risky.

      This attack will apparently run any Microsoft-signed executable with any command-line arguments. That's just hilarious.

    3. Re:More proof... by Anonymous Coward · · Score: 0

      Is it any different then say apt-get using unsecured http or ftp connections?
      Yes it is. Ubuntu and Debian (and I think all modern Linux distributions) sign their code with a key, so the underlying transport mechanism doesn't matter as much.

    4. Re: More proof... by Anonymous Coward · · Score: 0

      The difference with APT is that this is closed source crap so even if you would like to fix it yourself you couldn't. But since you WANT to run closed souce crap you deserve to get hacked. It's as simple as that.

    5. Re:More proof... by cdrudge · · Score: 1

      apt can run an post install script can't it? If someone inserted themselves as a MITM then could execute a malicious script as part of you installing an update.

    6. Re:More proof... by Anonymous Coward · · Score: 1

      the scripts are in the deb so the signature also prevent that

    7. Re:More proof... by DNS-and-BIND · · Score: 2
      The cure is worse than the disease. It's worrisome how often leftists decry coercion and tyranny, but happily switch sides and say "they should be forced to" at the drop of a hat. You're comparing some defect-free utopia that exists only in your imagination to the brutal reality of software development. If only more government power could be utilized, we could just FORCE them to comply! That works every time. Yup, concentrating more power in the government has a great record historically and hardly ever leads to negative outcomes.

      PS stop starting your comments in the Subject: line, that's for the subject of your message. Write your comment in the Comment: box. It's disruptive and impedes the flow of a message.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    8. Re:More proof... by Krojack · · Score: 1

      Google is who I'm now starting to wonder about, with all of these unpatchable cell phones because they don't want to support Android 2.3 or 4.1 even though the devices with these versions can't run anything newer.

      Should Ford also be required to make parts for the Model A? At some point a company has to stop supporting old outdated products. For Google, once devices are no longer sold with X version of Android then they should set a date that they will stop support for it. Until then they can just apply security patches. That doesn't mean the device manufacture will update THEIR modified version of android and push it out to the devices though.

      I do believe that device manufactures/carriers should be required to push out android updates within a set amount of days after Google has applied a security patch. Say 30 days. If someone falls victim to an exploit (such as the SMS/MMS one) that was fixed months ago but your device manufacture didn't push out a patch, you should be able to hold them responsible.

    9. Re:More proof... by 0123456 · · Score: 2

      the scripts are in the deb so the signature also prevent that

      Yes, exactly.

      This hole is a consequence of using random executables as installers, rather than a special installer file type.

    10. Re:More proof... by TWX · · Score: 1

      Ford doesn't make parts for the Model A, but the aftermarket still does. Also, a Ford Model A is a tangible thing. It's something that the average person with a socket set, ratchet, and some end wrenches could work on.

      MS-DOS is the Model A of personal computers. There was a whole lot of aftermarket support for DOS operating systems for many years after Microsoft itself stopped contributing to DOS. Additionally there was very little in MS-DOS itself that was broken, at least from an outside-attack perspective, as it lacked the features that are exploited in Windows.

      --
      Do not look into laser with remaining eye.
    11. Re:More proof... by lazarusdishwasher · · Score: 1

      Should Ford also be required to make parts for the Model A? At some point a company has to stop supporting old outdated products.

      There are parts suppliers other than the OEM. Part of the problem with software is the length of copyright, and the fact that some may claim distributing a patch would be copyright infringement.

      Instead of mandating a fixed time frame that support must be provided, would it make any sense to tie continued copyright protection with continued support? That would allow the manufacturer to determine how long they wish to provide support, and also allow interested third parties fill the void later.

    12. Re:More proof... by Anonymous Coward · · Score: 0

      wtf? I guess you haven't noticed that apt, rpm and yum use signed packages yet get delivered over plain old HTTP - except for purchased APT content on Ubuntu, it seems, which comes in over SSL because of the user credentials passed through from the sources.list.d files.

    13. Re:More proof... by Bengie · · Score: 1

      Yeah, the government shouldn't force anyone to do anything, but there is some truth to the notion of better support. I'm not going to use Microsoft because they're "decent", but I will use cheap firewall/router appliances. We need lemon laws. If something remains unsecure with known attacks for X amount of time and you've purchased it in the last 5 years, you should be able to return for a full refund, free S&H.

    14. Re:More proof... by KGIII · · Score: 1

      That might actually work in the state that I currently reside in. Maine has an Implied Merchantability Act that actually warranties things for a "reasonable length of time." This exceeds any manufacturer's warranties. Not many people know about it and fewer act on it. I know of no instance where this has been tried but, I suspect, it would be a reasonable case and would be heard and judged on its own merits. Few items have a defined implied merchantability length and most are subject to a judge's or jury's interpretation of "reasonable."

      The law:
      http://legislature.maine.gov/s...

      A very VERY good PDF that has a lot more information including citations:
      http://www.maine.gov/ag/dynld/... (Again, PDF warning.)

      I have lived in a number of states that had such laws but I do not recall anyone I know using one in court. I have linked to the law and PDF in the past and had my money refunded when I got an inferior product that lacked quality. They did not want to refund my payment and it took linking them to the PDF and law to get them to act on it. I have only needed to do so once and it did not go to court.

      --
      "So long and thanks for all the fish."
    15. Re:More proof... by Anonymous Coward · · Score: 0

      Who is going to regulate?

      http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

      http://mashable.com/2014/06/05/edward-snowden-revelations/

      "1. Secret court orders allow NSA to sweep up Americans' phone records

      The very first story revealed that Verizon had been providing the NSA with virtually all of its customers' phone records. It soon was revealed that it wasn't just Verizon, but virtually every other telephone company in America. "

      Can you hear me now?

      distrowatch.com
      http://tech.slashdot.org/comments.pl?sid=7814945&cid=50277265

    16. Re:More proof... by KGIII · · Score: 1

      Wait, what? You can (notice I did not say had to) purchase content from Ubuntu for downloading via apt? That is, umm... Different? I'd expect something like that at RedHat but, Ubunto? How odd... When did they start this?

      Note: I do not use Ubunto but I do use a fork that still uses plenty of Ubunto packages. I use Linux for Retards (Mint - cinnamon) and I like it because I do not have to screw with much to get it working. It has some bugs... I can deal with that. I can not set my wallpaper on this specific computer but I seldom see my wallpaper anyhow. I also can not add crap to the system tray - I was not really needing that anyhow.

      But, seriously... That is kind of cheesy to be offering it through apt. It is not "wrong," I suppose. I would not call it right, either. I would call it cheesy. I am not sure how I would change it, mind you, but I am sure I'd not advocate it.

      --
      "So long and thanks for all the fish."
    17. Re:More proof... by CoderJoe · · Score: 1

      Is it any different then say apt-get using unsecured http or ftp connections?

      In addition to the package .deb files being signed, the official package repositories have signed package indexes. I suppose one could just serve up a modified index without a signature, but apt might warn or error on that. (I haven't checked this part)

    18. Re:More proof... by Skuld-Chan · · Score: 1

      This article is honestly a lot of fud - it relies on lazy Windows admins (and yes I admit there are far more of them around than lazy unix/linux admins).

      Look at the attack vector - you can't just change where Windows checks for updates without local admin, or modifying the policy for the domain the machine is bound to - and you can't update the cert store for the same reasons. Yes privilege escalation attacks exist, but if someone has local admin on your windows box - why bother hacking the windows update service? Mitm attack would have to either exploit some bug in windows certificate trust, or have local admin on the box - and if you have local admin why bother hacking windows update.

      And then mitm'ing the sync between WSUS and Microsoft - say you did leave in insecure - and do you download hackyourshit.exe, but its not signed by a root ca your clients recognize - the actual endpoints still won't install it - even if it did come from your update server. WSUS won't deploy non-ms signed updates out of the box fwiw. SUP (System Center's Software Update Point) will, but only if they are signed by a trusted root ca and the vendor is configured on the trusted list on the site server itself.

      These guys might as well have written an article about hacking the SCCM Management Point and injecting rogue policies into its clients - its about as feasible tbh (ie not really).

    19. Re:More proof... by Anonymous Coward · · Score: 0

      As i understood it, you can intercept the unencrypted communication between wsus and microsoft, and then instruct it to download and run any microsoft signed executable with any command line arguments you wish...

      There are plenty of existing microsoft signed executables out there which can be made to do malicious things given the right arguments... You could just feed it a copy of cmd.exe and tell it to execute whatever you want.

    20. Re:More proof... by antdude · · Score: 1

      This is why I never get the (lat/new)est stuff right away! I still use old stuff like Debian oldstable, unsupported Windows XP Pro SP3, Mac OS X v10.8.5, etc. because they all still work fine. I'll upgrade when I'm ready and forced.

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    21. Re:More proof... by Krojack · · Score: 1

      The same can be done by hobbyist with versions of Android that Google no longer maintains. Download the source, apply updates and patches and send to a user to install.

    22. Re:More proof... by MoarSauce123 · · Score: 1

      I agree to some extent, but from my experience it is customers who have ZERO upfront interest in security and quality and ABSOLUTELY NO interest in paying for it. Working in the software industry for 20 years now I am still baffled that in all the projects and sales I ever was involved only once a customer asked to see the test plans and test results. Customers should ask for that each time they sign a contract to purchase software licenses. In return they need to sign an NDA. That disclosure should only be limited to functional tests, not any tests for the licensing engine or vendor-only configuration. As far as WSUS goes, it is the worst software Microsoft ever released. It is a pain to configure, a pain to use, it is dog slow, and most of the time it just does not work. We used it for a while to maintain 80 systems and then threw it away, it is much faster to download the small updates on each box and grab the big updates as redistributables.

    23. Re:More proof... by Skuld-Chan · · Score: 1

      To change the command line in a microsoft signed patch you'd have to edit the patch manifest file (big xml file with installable rules, installed detection rules, etc etc) - which would break the code signing cert on that package.

      Again - by default the windows client only installs MS Signed packages - you can set a policy to install packages signed by your own code signing cert, but that's not the default behavior (that action requires domain or local admin).

      To bypass that you'd have to exploit MS's "authenticode" checking system, or have the signing password/key for MS's code signing cert or your Enterprises code signing cert. If any one of those 3 things is a thing - you have more serious problems anyhow.

  2. Sounds like a feature by Anonymous Coward · · Score: 0

    Windows 10 already provides that service.

  3. If updates are signed... by sinij · · Score: 2

    Can someone please explain to me how are they managed to bypass signed update functionality? MitM will not give you magical powers to sign updates with MS key. As a result, the sig check would still fail when you attempt to install inserted update... So it either WSUS and signature check vulnerability, or not a big deal at all.

    ... and this is why friends shouldn't let friends implement systems with unsigned automatic updates.

    1. Re:If updates are signed... by DougOtto · · Score: 1

      Can someone please explain to me how are they managed to bypass signed update functionality?

      Not if you're too lazy to read the article.

      --
      Solving Unix problems since 1989...
    2. Re:If updates are signed... by Anonymous Coward · · Score: 0

      They were able to use ANY MS signed binary with arbitrary command arguments.

      IOW, RTFM

    3. Re:If updates are signed... by Anonymous Coward · · Score: 0

      Yes, I mean RTFA (Read the Fine article)

    4. Re:If updates are signed... by sinij · · Score: 4, Funny

      I choose to exercise my /. rights to never read TFA.

    5. Re:If updates are signed... by Qzukk · · Score: 1

      Didn't someone get a signing cert issued to them for Microsoft updates once? They could do that again.

      Personally, though, I suspect the real attack would be to block the update that fixes whatever the latest bug is by offering all the officially signed Microsoft updates except for the one the attacker intends to use to upgrade from owning your router to owning the rest of your computers.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    6. Re:If updates are signed... by Anonymous Coward · · Score: 1

      From the article:

      They turned to the Windows Sysinternals tool, specifically the remote command utility called PsExec which is signed by Microsoft.

      They were basically able to get any existing signed executable to run with arbitrary arguments as system. Since they were abusing the update system, they even could get the system to download PsExec.

    7. Re:If updates are signed... by mlts · · Score: 1

      At first, I was thinking it was along the lines of "create a root key, push the key out to all machines in the domain as a trusted item, use WSUS or SCCM to push out a package. However, this attack only requires control of the WSUS server.

      What is a workaround? Probably the usual common sense. Put WSUS on its own VM or machine, restrict RDP access into the box to a management network, enable Windows Firewall, have multiple WSUS machines [1] for separation, so one hacked box in receiving won't hose finance, and so on.

      Unlike SCCM/SCOM/SCVMM, the WSUS box tends to be something that is just left forgotten, oftentimes just set to "approve all", or just used to log in to release patches.

      [1]: Bonus points if the machines have backend LUNs that deduplicate so that all the files stashed on the multiple WSUS instances don't take up that much space.

    8. Re:If updates are signed... by operagost · · Score: 1

      FWIW, everything you listed is what PCI DSS requires except having separate machines (you can have just one machine as long as it doesn't serve two different scopes).

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    9. Re:If updates are signed... by FranTaylor · · Score: 1

      I suspect the real attack would be to block the update that fixes whatever the latest bug is

      Even better would be an attack that un-blocks a borked microsoft update and actually allows it to be installed, crashing the victim's systems.

    10. Re:If updates are signed... by Bacon+Bits · · Score: 1

      By tampering with the unencrypted update request, and modifying the WSUS server to serve malicious files.

      Change it from: "Hey, I'd like update CumulativeIEUpdate20150801.msu."

      To: "Hey, I'd like SilentBackdoorAndBitcoinMiner.txt"

      The compromised server says, "Sure, this uses CommandLineInstallation via the signed executable PsExec.exe."

      --
      The road to tyranny has always been paved with claims of necessity.
    11. Re:If updates are signed... by Anonymous Coward · · Score: 0

      They were basically able to get any existing signed executable to run with arbitrary arguments as system.

      Not quite correct. If you read the article what they're doing is this: Client updates through WSUS will work with any executable signed by Microsoft; the SysInternals tool, PsExec.exe, is signed by Microsoft; from the MiTM position they're faking a Windows Update by using PsExec.exe with parameters of their choice, thus having full control over the updating computer(s).

      At one point Microsoft starting supplying updates via signed .msu and .msi files instead of using signed .exe files. Beats me as to why they didn't totally switch over to that pattern.

    12. Re:If updates are signed... by Anonymous Coward · · Score: 0

      All of which does squat. The MiTM position is the plain old HTTP connection between the WSUS server and the Windows Update clients. If the WSUS server was provisioned with its own SSL certificate and the clients are configured to use HTTPS then the MiTM position disappears.

    13. Re:If updates are signed... by Anonymous Coward · · Score: 0

      Did not yet read the article, but I guess you will deliver a binary signed by microsoft. You can get many binaries signed by MS from a windows install. Many can do dangerous things.

    14. Re:If updates are signed... by KGIII · · Score: 1

      If you look at Microsoft's infrastructure and are honest about it - they keep that locked down pretty well and are surely subject to a whole bunch of attacks in myriad vectors. Yet you seldom hear about anything much happening at their end of things - the update servers never get hacked (I'd probably aim at those, personally), the ISOs never get corrupted on MSDN, nobody steals personal information, and nobody logs in and steals bunches of unknown MSDN or Technet keys.

      They do have a bunch of Linux facing servers but, really, they seem to mostly rely on their own products. Yet they seem to be pretty damned secure to an outsider. I have some experience in Redmond (I was an MVP for years and years) but not even we heard about a whole lot - not even really major leaks. The source code for 2k was partially available (fully?) at one point. Hell, you can join the Shared Source Initiative and access Windows' source files yourself. Yet, those never seem to make it into the wild.

      I am a member of a number of "underground" communities where exploits, kits, 0-days, source files, decompilers, etc are all for sale for a few bucks (even an ID is available at some of them). I never see anything targeted at Microsoft themselves. I mean, never... Someone would act and know if such were available. Microsoft is probably the largest target in the world - even a larger target then my own government. Yet, there they sit and they sit behind and using their own software.

      Sure, they have expertise but, still, it seems really odd that they have gone this long with no real loss of valuable data or, at least, infrequent lost data. I am sure they have scads of information like credit card transactions and personal details. Yet, they never end up with that being hacked and online in a database somewhere or available as a torrent.

      --
      "So long and thanks for all the fish."
    15. Re:If updates are signed... by KGIII · · Score: 1

      I am not sure if this helps:
      https://msdn.microsoft.com/en-...

      --
      "So long and thanks for all the fish."
    16. Re:If updates are signed... by Anonymous Coward · · Score: 0

      Exactly, classic metadata attack. Some of the Linux distros were vulnerable to this because they used signed packages (e.g. RPM) but not SSL protected update servers. So you couldn't force a good guy to install bad-guy-package because it wasn't signed, but you could make him install broken-good-guy-package and then stop accepting any further versions.

      RHEL was never vulnerable, because everything comes over SSL, but Fedora certainly was 10-15 years ago.

    17. Re:If updates are signed... by Anonymous Coward · · Score: 0

      This attack vector doesn't require that you break into MS servers.

  4. Not really a story. by Anonymous Coward · · Score: 2, Insightful

    If you already have someone with a MITM on your network, you've already been compromised. The sooner you know it, the better. This is kind of like those stories about some 'hack' someone found that requires keyboard access. If they have keyboard access, you're already sunk.

    1. Re: Not really a story. by sinij · · Score: 1

      If you're running windows, you're most likely compromised. Switch to Linux now.

      I did switch to Linux but for some reason I keep getting hacked. The last guy even patched it for me on the way out.

    2. Re:Not really a story. by Lumpy · · Score: 2

      Dont need to be ON your network, I just need to be somewhere between you and Microsoft. That gives me a LOT of locations to choose from. Hell some ISP's and backbone operators simply have small sheds out in rural areas that are easily broken into without setting off alarms. Or if you did set off the alarms you have plenty of time to install a small device to do your MITM for you and leave making it look like some kids got bored tipping cows.

      --
      Do not look at laser with remaining good eye.
    3. Re:Not really a story. by PRMan · · Score: 1

      Like the scary car hack last week that required physical access to the OBD2 port first.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    4. Re: Not really a story. by Anonymous Coward · · Score: 0

      That's not true. Linux is not hackable. ;)

  5. Re: Not really a story, well... by Anonymous Coward · · Score: 1

    Using a MITM to slip in a nastier set of stuff on the entire system is at least interesting, if not somewhat worrying.

  6. Re:Regulationï¼Y by Anonymous Coward · · Score: 0

    I'd feel sorry for anyone who actually believes any of the derp you just emitted. Too much wingnut fake-news, or was than an attempt at parody?

  7. Still by The-Ixian · · Score: 1

    It is one thing to inject the malicious update, but it would still need to be approved for install, correct?

    In our environment, I have multiple "rollout" groups which I release updates to over the course of the month.

    The first group is, obviously, a testing group. But even with that, I research each update before approval.

    Also, I have the automatically approve superseded updates and automatically update the WSUS server options turned off.

    It seems to me that these are the basic practices that any admin would use....

    --
    My eyes reflect the stars and a smile lights up my face.
  8. Signed XML by Anonymous Coward · · Score: 0

    I doubled you can modify those XMLs even if they are plain text, if they are properly signed.

    1. Re:Signed XML by Nkwe · · Score: 1

      SOAP also supports signing and encrypting within the SOAP payload. Just because the outer connection isn't over SSL doesn't necessarily mean the transmission is not secure. You do have to turn on the encryption within SOAP and you have to verify certificates... I don't know if WSUS does this or not.

  9. Re: Not really a story, well... by Anonymous Coward · · Score: 0

    Exactly, the MITM goes away after a brief window of exposure, in the worst case. What's left is only the payload.

  10. don't call it WUSS by Anonymous Coward · · Score: 0

    MS needs to come up with a better name than WUSS.

  11. Nessus already shows this by garlicbready · · Score: 1

    One of the things I've setup in the past
    is a server environment with PCI DSS compliance

    by default comms between internal servers and the wsus server are also not protected via ssl
    (since you'd need to install the certs for the wsus onto the client machines if it's self signed)

    one of the first things I turned on was SSL WSUS Support
    (along with SSL Active directory, and SSL everything else)

    If your doing your job properly when it comes to securing environments
    usually you'll install a piece of software like tripwire or NNT or Nessus
    part of which checks over all the settings, like group and local policy, with port scans
    to list all the crap to be turned off or changed (wsus ssl in the group policy was at the top of the list btw)

  12. That sucks by Anonymous Coward · · Score: 0

    Even when Windows is working correctly, it seems to screw things up.

  13. Yeah, not a major concern by bob8766 · · Score: 1

    Ok. So in order to make this work you'd need to have a WSUS server set up somewhere that has the malicious code and then change the client's update server setting. Since this is set by GPO it's going to be set back to the old value in a matter of minutes anyway if it's a corporate system.

    Assuming the client is able to grab it then unfortunately unless the update from that server is signed by Microsoft the client server will refuse to install it. Is there a way around this problem? Yep, it's simple! You just need to create your own packages on the malicious server and sign them with its own code-signing certificate, and then your malware has to distribute the certificate to each and every client's code signing and root certificate stores in addition to setting another registry key that tells it to trust non-Microsoft signed code.

    All of these settings which are settings normally controlled by GPOs in a corporate environment of course.

    So the system was completely compromised long before you could ever set this all up. Sure, you could use this to keep your non-corporate machine botnet updated but there are far easier ways to do it and without leaving a nice trail of bread crumbs for the FBI to follow.