Windows update software used to compromise security
By Ryan Block 
posted May 11th 2007 9:34AM
posted May 11th 2007 9:34AM
After you've done the delicate Windows Validation dance, but before you actually get the latest automatic update, there's a background component running in Windows called BITS (Background Intelligent Transfer Service), tasked with acquiring the key updates that keep your system protected. So you can imagine how security analysts are very interested by Elia Florio's (of Symantec) new paper, outlining security compromises bypassing firewalls via BITS -- but there's a catch. BITS itself isn't compromised, per se, it's just a content acquisition service for Windows. In other words, your machine already has to be compromised for BITS to bypass your firewall; this kind of hack just helps whichever Trojan / worm / virus you've become infected with acquire more software components to aid in its intrusion. So the next time your mom or dad sends you bits-hack-RUN-ME.exe, think twice.[Thanks, Philip]
"So the next time your mom or dad sends you bits-hack-RUN-ME.exe, think twice."
And go clean their computer. Again...
One of these days i'll install ubuntu on it.
Implying that Windows Update is compromised in your headline is completely misleading and very dangerous - the absolute last thing you should be doing is even hinting that people shouldn't be running it to update their PCs.
OMG an ALREADY COMPROMISED PC can access parts of the Windows API to download more badness (tm)? Shock! Horror! Alert the intertubes!
How is this news? If you've already got a trojan running, it's going to download more things one way or the other. It uses the same framework for file transfers that Microsoft Update uses? Well fuck me, let's make a sensationalist news article about it.
Pedro:
Read the full article. The difference is that the Trojan can establish an outbound connection without trigging a host-based firewall alert. Is this the end of the world? No. But it is a security vulnerability....
One way or the other? how many other ways did you know of a virus/spyware download shit loads more spyware/viruses once the machine's compromised although you had like a billion firewalls??
Honestly I didn't, and have been wondering everytime how the fuck does it keep on getting worse by the second.. No one's asking anyone to stop using auto update, they are just letting you know that it has some issues.
BITS can be possibly used as a transport for trojans - Windows Update has nothing to do with it.
Pls change the headline. Its completely misleading. I am assuming engadget has a reputation to protect by getting things right.....
I'm pretty sure most of the people who would read Engadget have nothing to worry about. The only clicking of virus files I would imagine them to use would be on a computer of a hated boss/ex-girlfriend/MIA/etc. And like Pedro said, with a trojan the damage would be pretty much the same. Just another method that's all.
That's not a problem, generally. It just pisses me off when people knock windows for no reason. Microsoft has invested a lot of time, money and skilled people to get Windows into the state that it is in now. You want to complain about people negligible faults with a very complex OS, well that's not fine with me. Write your own fucking operating system that's more secure. And contributing to NetBSD does not count; write your kernel from scratch.
Try it, then you can complain.
1st post wrapped up all good comments we'll see out of this in one.
In before apple fanboys.
it's a piece of piss to download stuff. hell, let's use another of Microsoft's APIs; Winsock (that's the Windows Sockets API). Load the DLL and hook the functions with your app. Establish a connection to a file server (ftp port 21 or http port 80). If using a HTTP server, send a GET request to start the transfer of a file (remember to ACK the SYN requests!), your listener should be grabbing the contents of the file being sent and output it as an I/O stream (write it to disk you spoon). Shell/Exec the file once bytes recieved == bytes expected or whatever (might want to check an MD5 hash of the file too).
See? That was a dumb example as there are better ways to get files, just Google for the code. As for firewalls, any app can programatically add itself to the firewall's whitelist. Failing that, redirect a local IP to your evil server in the victim's hosts file, then connect to that first - should work OK.
I'm trying to outline two things here; 1 - there are many ways to skin a cat and 2 - if you don't know a lot about the topic in question, don't act condescendingly to a programmer.
"if you don't know a lot about the topic in question, don't act condescendingly to a programmer."
So guess what Pedro - you're not the only programmer who reads Engadget. In fact, I highly doubt you're a programmer. Just mentioning winsock is not enough to convince anyone.
You're also wrong. You can't just add yourself to a firewall's white list. Most host-based firewalls (Windows Firewall, Norton, etc.) prevent applications from adding themselves without prompting the user. Otherwise those products would be completely pointless.
Nice try though.
I do understand that there are ways of downloading files, but trust me it's not that easy bypassing firewalls as you have pointed out. By the way pedro
"2 - if you don't know a lot about the topic in question, don't act condescendingly to a programmer."
I have been writing code since I was like 12 (C,C++,VB,Java) and I am a Software engineering undergraduate. So I kinda think I know what I'm talking about.
I'm trying to outline 3 thing's here by the way.
1. I am not trying to offend you or did try to offend you in anyway
2. Please do change your firewall if any program can add themselves to the white list, and Use an admin password for the firewall
3. Don't assume everyone else is dumb just because you know a little about something.
It just pisses me off when people knock windows for no reason. Microsoft has invested a lot of time, money and skilled people to get Windows into the state that it is in now.
-
They've spent alot of money and taken 5 years. we get it.
How about good ideas?
How about thoughtfulness?
How about starting clean slate with an internet-oriented foundation like they said they were going to do?
Naw...
I guess Windows users aren't that tough to please...
Then again, it's not like Vista is selling... (see: Dell)
You say "You can't just add yourself to a firewall's white list. Most host-based firewalls (Windows Firewall, Norton, etc.) prevent applications from adding themselves without prompting the user."
Microsoft TechNet says "Note:
Many program exceptions are also created programmatically through the Windows Firewall application programming interfaces (APIs). Programs that use the Windows Firewall APIs can add themselves to the exceptions list without any user notification or input."
http://207.46.196.114/windowsserver/en/library/cc69743b-6f9e-4dde-87ae-18c82c6240031033.mspx?mfr=true
Sorry, buddy.
>2. Please do change your firewall if any program can add themselves to the white list, and Use an admin password for the firewall
The program has to store it's whitelist somewhere, be it in the registry, or a file. Any application can alter these locations.
>3. Don't assume everyone else is dumb just because you know a little about something.
I'm sorry if I came off as insulting. I didn't intend to offend anybody, I just get annoyed about stuff quite easily.
I'm actually quite sick of arguing now, so maybe I'll stop.
There's a piece of freeware called WinBITS that allows you to view, edit, delete, and add BITS download queue entries. I used it to speed up a BITS download that was going far too slow (although it only confused the Microsoft product downloading it, I installed it manually). It would have taken weeks it was downloading so slow, but by making it download with "Foreground" priority (sorta against the spirit of BITS, which is to use unused bandwidth only) it finished in a couple hours.
You could also use it to monitor BITS downloads and stop any you don't like.
A handy product I've recently discovered is "Windows Updates Downloader" made by a third party - for the times I absolutely NEED an update (which hasn't happened yet). Tried it, it works well.
I've run with services like Background Intelligent Transfer Service, Windows Updates, Windows Time, etc disabled by default for years.
(and removed troublesome Symantec (Norton) products by default). In my opinion, Symantec is the real virus...