Exploiting BITS To Compromise Windows Update
Hackers are injecting malware onto systems while bypassing firewalls, as they use the file transfer feature that Windows Update use, said Symantec researcher Elia Florio and Frank Boldewin on May 11, 2007. Computerworld published this in its news.
The file transfer component is called BITS (Background Intelligent Transfer Service) that helps in making downloads. Microsoft introduced BITS in Windows XP to later integrate it with Windows Server 2003 and Windows Vista. BITS file transfer is not a synchronous service while it throttles automatically so that downloads don't affect other network functions. It resumes functioning on its own if the connection snaps.
The service being a component of the operating system, the default firewall in Windows permits BITS to send and receive content via the Internet without setting any alarm. Most malware succeed in bypassing firewall software either through accept-spam mails or by disabling the firewall program itself. However, malware using the BITS method need not perform these tricks in order to prevent generating warnings.
The researchers' report discusses the sample code that helps access BITS service in this way but the code is not just a proof-of-concept. malware like the Win32/Jowspry Trojan has been seen using this method.
The TrojanDownloader: Win32/Jowspry helps to bypass firewall, says Microsoft. The bypass happens when a social engineering tactic entices the user to unwarily run TrojanDownloader: Win32/Jowspry after which it uses BITS to install more malware.
Unfortunately, it is hard to prevent BITS from downloading undesirable items, according to Florio. He said, considering the component to support HTTP and programming it via COM API, it is an ideal program for Windows to download about anything and everything. But, this also means downloading malicious files. Computerworld published this as news on May 11, 2007.
Symantec has been aware of the BITS manipulation since 2006, yet there has been no protection against such an attack. According to Oliver Friedrichs of Symantec, one can simply disable Windows Update to prevent it from being exploited.
Friedrichs said till now nothing has shown towards suspecting compromise of Windows Update. If it had any fault it would have emerged by now.
Related article: Exploits Attack Latest Adobe Flash Bug
» SPAMfighter News - 18-05-2007