View Full Version : Hackers using Windows Update BITS

2007-05-15, 00:49

- http://preview.tinyurl.com/24vtqw
May 10, 2007 (Computerworld) - "Hackers are using the file transfer component used by Windows Update to sneak malware past firewalls, Symantec researchers* said today. The Background Intelligent Transfer Service (BITS) is used by Microsoft Corp.'s operating systems to deliver patches via Windows Update. BITS, which debuted in Windows XP and is baked into Windows Server 2003 and Windows Vista, is an asynchronous file transfer service with automatic throttling -- so downloads don't impact other network chores. It automatically resumes if the connection is broken... Microsoft was unable to immediately respond to questions about unauthorized BITS use."
* http://preview.tinyurl.com/2dfohl :fear:

- http://blog.washingtonpost.com/securityfix/2007/05/malware_using_microsoft_patch.html
May 14, 2007 ~ "...BITS is designed to resume downloading an unfinished file even after a user restarts or logs off of Windows. As soon as the system restarts or regains Internet connectivity, BITS can pick up where it left off. Additionally, the sender can determine whether the entire file transfer completed successfully by setting a special code on the transfer. The real danger is -- assuming the Trojan sneaks past a user's anti-virus software -- the user's software firewall likely would not detect the outgoing connection when the victim's machine starts downloading the second-stage payload. That's because BITS is a legitimate system service that the firewall would allow by default or the user long ago allowed it permanent access in and out a firewall... I should note that when I tried this exploit on a Windows XP system running under a limited user account, the attack did not succeed. So if you set up your Windows XP or 2000 machine to run under a limited account, even if you inadvertently download a Trojan, it is very unlikely that it will be able to finish its job."


2007-05-17, 16:28

- http://www.firewallleaktester.com/news.htm#57
June 10 2006 ~ "...This issue is NOT a vulnerability, this is a Windows feature, and the BITS service behaviour is expected to be like this. This is also NOT a firewall vulnerability. By default you may have fully allowed svchost.exe (access to ports 80 and 443) to access the Internet (if you enabled automatic Windows update), but knowing this issue, you may now consider to reconfigure it... As a side note, about those who say you shouldn't be infected in the first place, they are of course right. But a firewall is still needed to control legit Windows components or unwanted application behavior (e.g MS Word acessing the net). Also, in case something got planted in your PC, having restricted anything to what it needs only will mitigate the consequences. It's like the airbag of your car, theoretically you shouldn't need it, because you drive well and not too fast. But if anyway you have an accident, having an airbag will decrease the damages..."