Hackers use Windows Update to download malicious code

by Brad Linder May 11th 2007

Microsoft's Windows Update has a component called Background Intelligent Transfer Service (BITS) that downloads updates while you're busy doing other things with your computer. If you get disconnected, the update will pick up where it left off when you get back on the network.

Sounds great, right? Well, generally it is. But since BITS is part of your operating system, your firewall doesn't really check to see what it's downloading. And while there is pretty much no risk of automatically downloading a virus or trojan through Windows Update under normal circumstances, hackers are starting to use BITS to download code to computers that have already been affected.

Say you click that file attachment in an email from an unknown source, expecting to see compromising photos of a young starlet. Turns out there's no photo, so you shrug and move on. Next thing you know, you're computer's trying to download all sorts of files to capture your passwords. Normally your firewall would help protect your computer from such attacks, but since BITS can fly under the radar, you may be out of luck.

According to a Symantec researcher there's no way to prevent hackers from using BITS right now, but Microsoft could redesign BITS to require a higher user level in order to work. Or Microsoft could only allow BITS to download files from trusted sources.

Tags: bits, hackers, windows update, WindowsUpdate

Reader Comments (Page 1 of 2)

brian said 12:16PM on 5-11-2007

One reason i didn't upgrade to Vista

*rolls eyes*

Good old Windows XP...

Brad Linder said 12:17PM on 5-11-2007

Windows XP also uses BITS.

Jeffrey McManus said 12:40PM on 5-11-2007

This piece is misleading -- it gives people the sense that BITS has a vulnerability when that's not really the case. Putting restrictions on BITS would be a classic example of closing the gate after the cows are out of the barn since it is only meaningful to hackers after the machine has already been compromised. It would make just as much sense to put restrictions on HTTP traffic (i.e., no sense at all).

Will said 1:16PM on 5-11-2007

Linux. Mac.

LeeH said 1:17PM on 5-11-2007

"Or Microsoft could only allow BITS to download files from trusted sources." Please don't tell me they implemented this automated service *without* specifying a trusted source?

Oy.

Brad Linder said 1:26PM on 5-11-2007

Hey, I made it clear in the article that this only affects "computers that have already been affected." I was conscious of the fact that this article could have come off as alarmist. But I honestly couldn't think of a way to convey in a short headline the fact that hackers have found a way to manipulate the service used by Windows Update to download code if and only if they have already managed to infect your computer with a trojan.

Andre de Cavaignac said 1:28PM on 5-11-2007

BITS is just a download service. Once an attacker has infiltrated a system, there are way more ways he could get around the firewall -- on any system, Linux, Mac, Windows -- it doesn't matter. All it does is download files.

As someone said before, the security venurability is whatever originally infected the system. Want another way to get around the firewall? Write a plugin that runs in-process of a process that already has access (IE, Outlook, Word, FireFox, Trillian -- whatever accepts plugins)....

Racetrack-Owner said 2:26PM on 5-11-2007

It doesn't come off as alarmist, it comes off as misleading and incorrect. They aren't using "Windows Update" any more than running an MSI to install a trojan would be using "Windows Update" to compromise the machine. The difficulty of coming up with a good headline doesn't justify the misdirection.

How about "Microsoft component used to download malicious code" or "Background Transfer Service used by hackers"? Reasonably descriptive headlines aren't all that difficult to imagine.

sean said 2:28PM on 5-11-2007

doesn't seem like they would need to use BITS in the first place. If your dumb enough to open an anonymous attachment once you'll probably dumb enough to open one again.

what's the point of this story anyway? People that blindly open attachments don't read these kinds of articles.

El Guapo said 3:29PM on 5-11-2007

This is nonsense. Once your PC has already been compromised, NOTHING is safe. That's like saying network cards are security problem because "hackers" use them to "download all sorts of files".

This is just downloadsquad once again trying to flame up some rabid anti-MS stir in another misguided attempt to get page views.

Sunny said 10:19PM on 5-11-2007

heh, they didn't now the BHSZ http://linkyme.com/g2wqek
but they sure did try! lol, nice post.

mlw4428 said 8:31AM on 5-12-2007

The way to use this exploit is to already have compromised the system. In that case it doesn't matter what OS you have...if a hacker has your system compromised then they can do whatever. For once this isn't really Microsoft's fault...they of course could set it up to download only from trusted sources (but it's not like files can't be patched or anything). A good security policy and downloading only from trusted sources is a pretty good way to keep your computer clear. Shitty security practices isn't the fault of Microsoft, but the fault of the user.

I use Linux (Ubuntu Edgy :D) and the same concept applies there.

Mr Owl said 8:31AM on 5-12-2007

The Windows firewall never catches BITS, but Zone Alarm does. It asks every time you connect to the internet whether to allow Windows update(don't know about your settings). And who the helss neds an update of Windows??? Its better being disabled.

RobotsThink said 8:31AM on 5-12-2007

M$ will die of re-working on their OS :)

foobar said 1:40PM on 5-12-2007

This is bunk, alarmist FUD. Guess what, once an attacker has control over your machine they can do whatever they want without BITS. Let us say an attacker has gotten inside your Mac or Linux box by getting your password and installing a virus manually (I won't even get into the argument of attacking to prevent people from trying to hijack the point). Now that they control your account from a running process, can they download some files over http? Yes, yes they can. Rediculous article.

Joel said 7:31PM on 5-12-2007

This article needs to be renamed. It's title suggest that Windows Update has been compromised.

The Computer World article is also a little more than a little off. BIT is a documented API that microsoft has made available to programmers. While the use of it to download malicious content is disagreeable doing so doesn't represent any type of hijacking of a Windows component.

Disabling BITS would cause more trouble than good. It would make it difficult for developers with well intent from being able to easily use it for rapid development and would not prevent a hacker from implementing a similar protocol.

HakMan said 9:46PM on 5-12-2007

Just another avenue of exploitation. No matter what hackers will always find a way in. A necessary evil; without it few issues would get resolved or "patched"

franksen beanz said 11:51PM on 5-12-2007

If you were able to somehow change the dns entry maybe with a MITM attack, you should be able to make windows download from the wrong source with out ever directly attacking the windows machine. You could do this with ettercap fairly easily. Or, if you can take control of their router (if they use one) and the router is providing dns resolution that would be another way to do it.

davenix said 11:51PM on 5-12-2007

You need to educate yourself...tard. How about you read a little before posting a doofus opinion based on zero know how.

Douchenozzle.

Bryan said 8:05PM on 5-13-2007

This is 100% spreading FUD (fear, uncertainty, and doubt). The headline is totally misleading - hackers are most definitely NOT using Windows Update to download malicious code - and the article even says so!

BITS is an auto-resuming, auto-throttling FTP client that is used by Windows Update (and other products) to send files over your network connection in the background - so your regular browsing & email is not impacted. It's a very cool service.

Yes, Hackers can use BITS. But first the Hacker has to have control of your machine. BITS is not a way in.

If a burglar breaks into your house through a window then goes and opens the garage door to back up a truck, we're not all going to get rid of our garage doors! We put bars on the windows, or (as Will recommends) move to another neighborhood where noone will try to break in.

| 1 | 2 | Most Recent | Next 20 Comments

Featured Time Waster

Civiballs is a beautiful, soothing physics puzzle Time Waster

I have an absolute weakness for physics games, and while Civiballs isn't the strongest physics-based game, what it lacks in the physics department it makes up for a few times over in style and fun.

In Civiballs, you are presented with a few colored balls, and your goal is to get those balls into the same-colored urn on the level. The "civi" part of Civiballs is that there are 3 sets of levels to play, each representing a different civilization. While the civilization doesn't affect gameplay, the artwork for each level is beautifully themed to it's appropriate era.

To play the game, you are given only one tool - a sword with which to cut the chains that are holding the balls. The puzzle part of the game is in figuring out what order, and with what timing to cut each chain. Do it right, and all the right balls end up in the right urns, with no stray balls entering an urn (a no-no). Do it wrong, and you get to start over again.

Civiballs is not terribly deep on gameplay; the entire game can be completed in about 15 minutes. But if you enjoy this type of game, it will be a very enjoyable 15 minutes.

View more Time Wasters