Hackers hijack Windows Update's downloader

The Background Intelligent Transfer Service used by Microsoft Corporation's operating systems to deliver patches via Windows Update, is being used by hackers to sneak malware past firewalls, according to Symantec researchers. BITS, which debuted in Windows XP and is baked into Windows Server 2003 and Windows Vista, is an asynchronous file transfer service with automatic throttling, meaning downloads don't impact other network chores. It automatically resumes if the connection is broken.

Elia Florio, a researcher with Symantec's security response team, outlined why some Trojan makers have started to call on BITS to download add-on code to an already compromised computer. "For one simple reason: BITS is part of the operating system, so it's trusted and bypasses the local firewall while downloading files. It's not easy to check what BITS should download and not download. Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs."

Symantec first caught chatter about BITS on Russian hacker message boards late last year and has been on the lookout for it since. A Trojan spammed in March was one of the first to put the technique into practice. "It's free and reliable, and they don't have to write their own download code," said Oliver Friedrichs, director of Symantec's security response group. Although BITS powers the downloads delivered by Microsoft's Windows Update service, Friedrichs reassured users that there was no risk to the service itself. "There's no evidence to suspect that Windows Update can be compromised. If it has a weakness, someone would have found it by now. But this does show how attackers are leveraging components and becoming more and more modular in how they create software."

News source: ComputerWorld

Report a problem with article
Previous Story

Warner Bros. to Offer Movies Online in Hong Kong

Next Story

Microsoft Viridian: Another Day, Another Delay

7 Comments

Commenting is disabled on this article.

umm wee? I use BITS in my programs under the local user accounts to download updates to my program... heck, its been around for a long time - nothing special... so in order for this to work you need to run the job as an admin, that means that the virus, which has already comprimised the system, needs full access - and if it has that, you have a bigger problem.

And if it doesn't affect Windows Update, why use it in the name other than to scare people?

I agree, even if what this article says is true, if you have malware running with full admin rights on your PC, your problem is hardly what might get installed next, it's getting rid what's already there that you should focus on.

i can't believe that the download service doesn't only download from microsoft.com, or one of their official url's...