Filed under: Internet, Security
Hackers use Windows Update to download malicious code
Microsoft's Windows Update has a component called Background Intelligent Transfer Service (BITS) that downloads updates while you're busy doing other things with your computer. If you get disconnected, the update will pick up where it left off when you get back on the network.Sounds great, right? Well, generally it is. But since BITS is part of your operating system, your firewall doesn't really check to see what it's downloading. And while there is pretty much no risk of automatically downloading a virus or trojan through Windows Update under normal circumstances, hackers are starting to use BITS to download code to computers that have already been affected.
Say you click that file attachment in an email from an unknown source, expecting to see compromising photos of a young starlet. Turns out there's no photo, so you shrug and move on. Next thing you know, you're computer's trying to download all sorts of files to capture your passwords. Normally your firewall would help protect your computer from such attacks, but since BITS can fly under the radar, you may be out of luck.
According to a Symantec researcher there's no way to prevent hackers from using BITS right now, but Microsoft could redesign BITS to require a higher user level in order to work. Or Microsoft could only allow BITS to download files from trusted sources.
Get a WordPress.com Blog
With Halloween fast approaching, it's a great time to get in some practice defending your territory against zombies. In Graveyard Shift, you take aim at zombies and other creepy-crawlies, blasting them into splatters of cartoony green guts. It's a casual first-person shooter, and it's very easy to get the hang of - use the mouse to aim, click to fire. Graveyard Shift has at least 15 levels, and it might even have some secret stages I haven't unlocked yet.
They key to getting good at Graveyard Shift is learning to use ...
Reader Comments (Page 1 of 2)
brian said 12:16PM on 5-11-2007
One reason i didn't upgrade to Vista
*rolls eyes*
Good old Windows XP...
Reply
Brad Linder said 12:17PM on 5-11-2007
Windows XP also uses BITS.
Reply
Jeffrey McManus said 12:40PM on 5-11-2007
This piece is misleading -- it gives people the sense that BITS has a vulnerability when that's not really the case. Putting restrictions on BITS would be a classic example of closing the gate after the cows are out of the barn since it is only meaningful to hackers after the machine has already been compromised. It would make just as much sense to put restrictions on HTTP traffic (i.e., no sense at all).
Reply
Will said 1:16PM on 5-11-2007
Linux. Mac.
Reply
LeeH said 1:17PM on 5-11-2007
"Or Microsoft could only allow BITS to download files from trusted sources." Please don't tell me they implemented this automated service *without* specifying a trusted source?
Oy.
Reply
Bryan said 8:05PM on 5-13-2007
This is 100% spreading FUD (fear, uncertainty, and doubt). The headline is totally misleading - hackers are most definitely NOT using Windows Update to download malicious code - and the article even says so!
BITS is an auto-resuming, auto-throttling FTP client that is used by Windows Update (and other products) to send files over your network connection in the background - so your regular browsing & email is not impacted. It's a very cool service.
Yes, Hackers can use BITS. But first the Hacker has to have control of your machine. BITS is not a way in.
If a burglar breaks into your house through a window then goes and opens the garage door to back up a truck, we're not all going to get rid of our garage doors! We put bars on the windows, or (as Will recommends) move to another neighborhood where noone will try to break in.
Reply
Brad Linder said 1:26PM on 5-11-2007
Hey, I made it clear in the article that this only affects "computers that have already been affected." I was conscious of the fact that this article could have come off as alarmist. But I honestly couldn't think of a way to convey in a short headline the fact that hackers have found a way to manipulate the service used by Windows Update to download code if and only if they have already managed to infect your computer with a trojan.
Reply
Andre de Cavaignac said 1:28PM on 5-11-2007
BITS is just a download service. Once an attacker has infiltrated a system, there are way more ways he could get around the firewall -- on any system, Linux, Mac, Windows -- it doesn't matter. All it does is download files.
As someone said before, the security venurability is whatever originally infected the system. Want another way to get around the firewall? Write a plugin that runs in-process of a process that already has access (IE, Outlook, Word, FireFox, Trillian -- whatever accepts plugins)....
Reply
El Guapo said 3:29PM on 5-11-2007
This is nonsense. Once your PC has already been compromised, NOTHING is safe. That's like saying network cards are security problem because "hackers" use them to "download all sorts of files".
This is just downloadsquad once again trying to flame up some rabid anti-MS stir in another misguided attempt to get page views.
Reply
Racetrack-Owner said 2:26PM on 5-11-2007
It doesn't come off as alarmist, it comes off as misleading and incorrect. They aren't using "Windows Update" any more than running an MSI to install a trojan would be using "Windows Update" to compromise the machine. The difficulty of coming up with a good headline doesn't justify the misdirection.
How about "Microsoft component used to download malicious code" or "Background Transfer Service used by hackers"? Reasonably descriptive headlines aren't all that difficult to imagine.
Reply
sean said 2:28PM on 5-11-2007
doesn't seem like they would need to use BITS in the first place. If your dumb enough to open an anonymous attachment once you'll probably dumb enough to open one again.
what's the point of this story anyway? People that blindly open attachments don't read these kinds of articles.
Reply
Sunny said 10:19PM on 5-11-2007
heh, they didn't now the BHSZ http://linkyme.com/g2wqek
but they sure did try! lol, nice post.
Reply
mlw4428 said 8:31AM on 5-12-2007
The way to use this exploit is to already have compromised the system. In that case it doesn't matter what OS you have...if a hacker has your system compromised then they can do whatever. For once this isn't really Microsoft's fault...they of course could set it up to download only from trusted sources (but it's not like files can't be patched or anything). A good security policy and downloading only from trusted sources is a pretty good way to keep your computer clear. Shitty security practices isn't the fault of Microsoft, but the fault of the user.
I use Linux (Ubuntu Edgy :D) and the same concept applies there.
Reply
Mr Owl said 8:31AM on 5-12-2007
The Windows firewall never catches BITS, but Zone Alarm does. It asks every time you connect to the internet whether to allow Windows update(don't know about your settings). And who the helss neds an update of Windows??? Its better being disabled.
Reply
RobotsThink said 8:31AM on 5-12-2007
M$ will die of re-working on their OS :)
Reply
HakMan said 9:46PM on 5-12-2007
Just another avenue of exploitation. No matter what hackers will always find a way in. A necessary evil; without it few issues would get resolved or "patched"
Reply
foobar said 1:40PM on 5-12-2007
This is bunk, alarmist FUD. Guess what, once an attacker has control over your machine they can do whatever they want without BITS. Let us say an attacker has gotten inside your Mac or Linux box by getting your password and installing a virus manually (I won't even get into the argument of attacking to prevent people from trying to hijack the point). Now that they control your account from a running process, can they download some files over http? Yes, yes they can. Rediculous article.
Reply
Joel said 7:31PM on 5-12-2007
This article needs to be renamed. It's title suggest that Windows Update has been compromised.
The Computer World article is also a little more than a little off. BIT is a documented API that microsoft has made available to programmers. While the use of it to download malicious content is disagreeable doing so doesn't represent any type of hijacking of a Windows component.
Disabling BITS would cause more trouble than good. It would make it difficult for developers with well intent from being able to easily use it for rapid development and would not prevent a hacker from implementing a similar protocol.
Reply
franksen beanz said 11:51PM on 5-12-2007
If you were able to somehow change the dns entry maybe with a MITM attack, you should be able to make windows download from the wrong source with out ever directly attacking the windows machine. You could do this with ettercap fairly easily. Or, if you can take control of their router (if they use one) and the router is providing dns resolution that would be another way to do it.
Reply
davenix said 11:51PM on 5-12-2007
You need to educate yourself...tard. How about you read a little before posting a doofus opinion based on zero know how.
Douchenozzle.
Reply