Yes, this is why users are abandoning the Windows platform. It seems to make perfect sense to the companies that supposedly provide security for our systems to wait for the problem to occur before they get around to preventing this kind of access to crooks. While I tell my boss to update manually, I doubt he'll ever do it. He, like many others, believes the automatic updates feature makes the process seem so easy and thoughtless. Why to the various places to download for MS Office and the system when automatic updates does it for you? If only the criminals worked at legitimate enterprises.

This is just further proof. Thanks BK

So.....the quick fix for prevention is to disable AU, right?

From what I've seen, BITS download jobs can be run from a non-admin account in XP Service Pack 2 (specifically, BITS 2.0 and up). The reason that the proof of concept program doesn't work is that it tries to write the download stream out to the root directory on the C drive, which non-admin accounts cannot write files to. If the target directory had been something like %USERPROFILE%, it would have succeeded.

FWIW, BITS doesn't necessarily provide a route to privilege escalation all by itself, but this "outbound protection" leakage is definitely a concern.

Philip Sloss
myNetWatchman.com

Doh! Forgot to mention one other thing: Guillaume Kaddouch wrote about this last year, on his web site:
http://www.firewallleaktester.com/news.htm#57

Philip Sloss
myNetWatchman.com

The only thing this proves is the first immutable law of computer security:

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

the poc has been updated. now it stores the downloaded executable in the users tempdir.

@umm.huh@gmail.coom: good point. There's a word I'm looking for to describe people who prefer processes that are 'thoughtless'. Could it be - 'thoughtless'? ;)

As a follow up:

http://arstechnica.com/news.ars/post/20070513-symantec-malware-can-hijack-windows-update.html

Contrary to reports elsewhere, this is not a reason to avoid using Windows Update, for Windows Update itself cannot infect your system. To get infected, the user still has to first download a malicious file and execute it. At that point, it doesn't matter whether the user has Windows Update's BITS download installed or not: the system is already compromised.

A spokesperson for Microsoft told Ars Technica that the software giant "is aware of public reports that Background Intelligent Transfer Service (BITS) is being used by TrojanDownloader:Win32/Jowspry to bypass policy-based firewalls in order to install additional malware." The spokesperson pointed out that the attack does not come from a flaw in Windows Update but rather "relies on TrojanDownloader:Win32/Jowspry already being present on the system; it is not an attack vector for initial infection." Microsoft did not indicate if the company is planning to revamp the security of the BITS service.

http://scmagazine.com/us/news/article/657068/windows-update-used-download-malware-updates/

Microsoft spokesperson told SCMagazine.com today attacks taking advantage of BITS are reliant on malware already being installed on a system.

"Microsoft is aware of public reports that Background Intelligent Transfer Service is being used by TrojanDownloader.Win32/Jowspry to bypass policy-based firewalls in order to install additional malware. The bypass relies on [the trojan] already being present on the system; it is not an attack vector for initial infection," said the spokesperson. "The bypass most commonly occurs after a successful social engineering attempt lures the user into inadvertently running [the trojan], which then utilizes BITS to download additional malware."

@TJ:
Roses are red
Violets are blue
I own this Windows computer
And so do I
And so do I
And do do I

Excellent work, Brian.

Short of getting a club for use on the endpoint, the response is a consistent deafness when the virtues of LUA are explained. They just don't seem to have the time to listen - the eyes sort of glaze over as they "...look at clouds. They are in very interesting shapes...". 'Much easier to just whine, I guess.

.

So let me get this straight.

The Trojan has to ALREADY BE ON YOUR SYSTEM. But it's Microsoft Updates fault that you're infected?

What kind of idiocy is this?

Get real Symantec. Way to drum up some FUD!

sure, an user has to download and start a binary on his computer, but what is if you e.g. surf to an owned website (like the dolphins homepage some weeks ago) which hosts an unpatched exploit (like the .ani bug at this time). the .ani bug transfers the dropper with the bits code to your computer and this one is then able to download further malware as all those firewall are blind for BITS downloading.

just want to make clear, that the combination of weaknesses are often the main problem.

dolphins homepage some weeks ago) which hosts an unpatched exploit (like the .ani bug at this time). the .ani bug transfers the dropper with the bits code to your computer and this one is then able to download further malware as all those firewall are blind for BITS downloading.

just want to make clear, that the combination of weaknesses are often the main problem.

1-BITS can be removed from the windows load
2-Network depts. can download updates and push them out to their client PC's.
3-Virus scans and malware scanners should detect the trojan.

With a little bit (bits) of foresight, this can be eliminated as a threat

These headlines should have come out years ago when windows update was first released.

"New Attacks Piggy-Back on Microsoft's Patch Service"....

The protocol used for Microsoft's patch service is a security weakness. All computers using the protocol, called HTTP, are unsecure if someone takes over the computer.

Windows Update or the newer Microsoft Update itself CANNOT infect your system.

To get infected, the user still has to FIRST download a malicious file and execute it. At that point, the first immutable law of computer security kicks in: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. Game over!

Then the malware attempts to use the BITS service to further compromise an already compromised system!

As Brian stated in the article, "a piece of malware injecting itself into a trusted system process is not new or difficult to fortify against."

Moral to the story: an ounce of prevention is worth a pound of cure.

What a non-story. If your box gets owned, there are many different ways malware could download something.

As someone pointed out above, BITS is just another HTTP client. There's no vulnerability in BITS, unless you consider anything that uses HTTP a vulnerability, which would mean the end of web browsing.

M$ bashing yet again, over hyped security issue, which really is just too flakey to be of real concern, at the end of the day the users are the biggest security risk with any system.

And as for guy first guy going on about everyone abandoning windows and trying to tell his boss to do likewise, he wants to live in the real business world, 90% of corporate PCs are M$ based, that's just the way it is, that's probably why he ain't the boss, thank god.

I agree 100% with above, you have to get owned first, doesn't really matter how the malware downloads a payload after that

As other posters mention, you need to first download the malware, which your antivirus (on your PC, mail server, etc) would hopefully catch.

If the proof of concept code is modified to download to a writable area of your system (such as Documents and Settings\your_profile\) then BITS can in fact start downloading Malware even if you're running Windows as a low-priviledge account.

A hardware firewall at the perimeter of your network would prevent BITS from downloading files from non Microsoft Networks if you filter outbound traffic. However, the PC would still be compromised with the inital payload/malware. Keep your AV up to date, and in corporate environments, prevent users from downloading any executable.

John> you have to get owned first, doesn't really matter how the malware downloads a payload after that

It matters if, after discovery of the compromise, the person cleaning up the box doesn't anticipate the scenario of having BITS do a delayed download and install. This is entirely possible, especially if people like Brian don't inform as many people as possible that this vector exists.

Strategies that may similarly sidestep eviction in other environments:

1. UNIX box is compromised, intruder adds cron or at job to recompromise in a week. Admin discovers compromise, cleans up box, but doesn't check cron and at jobs. A week later, the box is compromised again. (This actually happens.)

2. Switch or router is compromised, intruder makes changes, saves config, schedules a reboot in a month. Admin discovers compromise, fixes config changes, but doesn't save config. A month later, router reboots and is running the compromised config again. (This actually happens.)

BITS does not install stuff, it only downloads it. The screenshot above is misleading since it implies that the background BITS job is the installing agent.

Got it...the initial security issue is still SOP for prevention.