antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
2 edits |  Trojan could be infecting computers through Microsoft update
Is Microsoft Update Infecting You?
May 11, 2007
By Sean Michael Kerner
UPDATED: Tens of millions of Microsoft users get their security updates from the Microsoft Update service. But a researcher at security firm Symantec (Quote) is alleging that users could potentially get something more than they bargained for.
A Symantec researcher said that Microsoft Update, which includes a component called Background Intelligent Transfer Service (BITS), could potentially be used by hackers to bypass security measures and attack users' PCs. BITS runs in the background on a Windows PC as an asynchronous download service for patch updates.
A Microsoft spokesperson confirmed to internetnews.com that Microsoft is aware of public reports that BITS is being used by TrojanDownloader:Win32/Jowspry to bypass policy-based firewalls in order to install additional malware.
According to Microsoft, the bypass relies on TrojanDownloader:Win32/Jowspry already being present on the system; it is not an attack vector for initial infection. The bypass most commonly occurs after a successful social-engineering attempt lures the user into inadvertently running TrojanDownloader:Win32/Jowspry, which then utilizes BITS to download additional malware.
Microsoft recommends that any users who believe they are affected by TrojanDownloader:Win32/Jowspry visit Windows Live OneCare safety scanner to scan their systems, determine if they are infected, and clean all currently known variants of this Trojan.
Using BITS to download malicious files is a clever trick because it bypasses local firewalls, as the download is performed by Windows itself, and does not require suspicious actions for process injection, Symantec researcher Elia Florio wrote on the Symantec Security Response blog.
According to Florio, there is no workaround for a BITS-based attack and it is difficult to manage what should not be downloaded by BITS.
"Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs," Florio wrote.
Though the Symantec researcher is now bringing this issue to light, Florio said the hack community has been aware of the potential risk of BITS since it was cited as an "antifirewall loader" technique on a Russian forum at the end of 2006.
Florio's allegation comes as Microsoft wraps up its fifth Blue Hat Security conference. Blue Hat is Microsoft's closed-door security conference where the company invites security researchers up to its campus to discuss the latest bleeding-edge security research.
According to Microsoft's Blue Hat Security blog, Blue Hat v5 included a number of presentations about mobile and Web application hacking, as well as a session on how a security researcher, "cracked the Xbox 360."
Earlier this week Microsoft issued its monthly patch update fixing vulnerabilities in Microsoft Office, Internet Explorer and Exchange.
»www.internetnews.com/security/ar···/3677201
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
Kill DRM
@rr.com | Re: Microsoft update could be infecting computers with Trojan
Completely a non-story. |
|
Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
 ·AT&T U-Verse
| reply to antiphishing
It isn't so much that MU is the infecting agent here; rather
that the malware writers are using the process that MU uses -
BITS (Background Intelligent Transfer Service) - to get
their trojans onto already compromised systems in such a
way that firewalls wouldn't notice as it's a trusted part
of the OS.
It is the initial social engineering attempt that if
successful, opens the door for further exploitation of MU.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
09-F9-11-02-9D-74-E3-5B-D8-41-56-C5-63-56-88-C0: The number the MPAA doesn't want you to know about. |
|
OZO
Premium
join:2003-01-17 | reply to antiphishing
Just turn it off with WU6.bat and have a life 
--
Keep it simple, it'll become complex by itself... |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| reply to antiphishing
Microsoft update could be infecting computers with Trojan
That is incorrect:
...the bypass relies on TrojanDownloader:Win32/Jowspry already being present on the system.....The bypass most commonly occurs after a successful social-engineering attempt lures the user into inadvertently running TrojanDownloader:Win32/Jowspry, which then utilizes BITS to download additional malware.
--
~~"As long as America is an infidel enemy, terrorizing it is a duty." Sayed Imam Abdul-Aziz el-Sheriff~~
|
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
| reply to antiphishing
This isn't quite a non story, but it's not much of one.
BITS is a service with unquestionable utility: programs such as Windows Update or your own application can use it to download updates when the internet is otherwise idle, and it's got all kinds of useful features (throttling, auto-detect of a network connection, restartability, prioritized transfers, etc.).
I would imagine that plenty of applications use this for phone-home updates: they submit a request, and then forget about it until the job-complete event fires - which could be much later - and they can then work with a full set of update files without worrying about did this file make it and that one didn't.
Jobs are always transfered in the security context of the requesting user, so it's not like a non-admin user (or malware) can use this for privilege escalation.
So what about this "vulnerability"?
The first reaction ought to be "by the time this is an issue, the system is already compromised", and I'm generally sympathetic to that. Once you allow the bad guy to run code on your system, you're already way behind, and will be possibly unable to ever make it right.
My second reaction was "This is just a transfer mechanism", without an execution component, but because DSLR Security Forum readers expect just a little bit more, I actually read the BITS API.
It's possible to register a COM event for a JobTransferred callback (which is code execution), or to execute a program upon job complete. Both of these require code execution in the first place, but it doesn't seem inconceivable to me that a small bit of trampoline code at infection time could be used to provoke a bigger download + execute.
This would mostly bypass the firewall, though there are other techniques for doing the same thing (injecting the download code into IE, for instance), so it's merely a bit easier to do what would be somewhat more difficult without it: it's not an entirely new mechanism.
I don't know that there is a fix for this, or if there even should be. It's an extremely useful OS facility, one which makes the life of applications easier, and I don't know exactly how one would fix this without crippling the utility.
So: it's a thing, but not a big thing.
Steve
--
Stephen J. Friedl � Unix Wizard � Microsoft Security MVP � Tustin, California USA � my web site |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| Slightly OT but related and when i first read the topic i thouht this was what i was going to see least in part.
Heres a intresting attack vector one id love to see tested and be involved in testing as it would be intresting i think.
Going to windows update via browser manually launches bits wu etc. So what if a page useing ms code or ms like code was used to trigger a bogus update froma bogus site. Say a clasic phish scam with a twist. In stead of targeting bank ebay pay pal etc sites to get money they target windows update. User visits this fake ms site site tells them they need these updates they select them and go. At this point the bits proc takes over and downloads and installs these trojans.
To make the site look legit once the user goes there it does scan and see exactly what updates are really needed and pull s those from microsofts own site. Once installed or installing the user is even redirected tot he real ms update site.
--
Evil does exist and it has a face to often that face is one that should look on their child with love in their eyes.
Instead only hate exists in those eyes. |
|
Derspankster
Premium
join:2003-02-12
Marion, OH
·RoadRunner Cable
·RoadRunner Cable
| reply to Steve
said by Steve  :This isn't quite a non story, but it's not much of one. Thanks Steve - good response as usual.
--
I thought I made a mistake once but I was wrong |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to Steve
said by Steve :....So: it's a thing, but not a big thing. Steve Exactly. It's definately not "Microsoft update could be infecting computers with Trojan", which is what I had a problem with.
Another case of you let bad things on your computer, other bad things can follow, in a myriad of ways.
--
~~"As long as America is an infidel enemy, terrorizing it is a duty." Sayed Imam Abdul-Aziz el-Sheriff~~
|
|
antiphishing
Phishing Scam Terminator
Premium
join:2004-06-09
Wilkes Barre, PA
| reply to La Luna
said by La Luna :Microsoft update could be infecting computers with TrojanThat is incorrect: ...the bypass relies on TrojanDownloader:Win32/Jowspry already being present on the system.....The bypass most commonly occurs after a successful social-engineering attempt lures the user into inadvertently running TrojanDownloader:Win32/Jowspry, which then utilizes BITS to download additional malware. Your right , the 'subject line' is a bit misleading so I made the correction.
Thanks for pointing it out. 
--
Specializing in "takes downs" of phishing and advance fee scams
Send your Phishing/Advance fee scams to: phish@antihotmail.com
»/profile/1021645
|
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
1 edit | reply to La Luna
said by La Luna :Another case of you let bad things on your computer, other bad things can follow, in a myriad of ways. I keep trying to stress this, and some people cannot understand it.
Keep sh** off, sh** can't run - can't do damage or call it's friends to come have a party!
--
Think outside the Fox... Opera |
|
Matt
Take me down to the paradise city
Premium
join:2003-07-20
Jamestown, NC
 ·North State Commun..
| reply to antiphishing
Re: Trojan could be infecting computers through Microsoft update
So let me get this straight.
The Trojan has to ALREADY BE ON YOUR SYSTEM. But it's Microsoft Updates fault that you're infected?
WTF kind of idiocy is this?
Jesus Christ Symantec.
--
Oh I'm so creative and all my programs are so easy to use ... |
|
decadent
Premium
join:2002-04-02
Piscataway, NJ
| reply to antiphishing
I agree with Steve, but Microsoft should show in some visible place what is downloaded through BITS. Regarding IE 7.0 injection, I think, it is different, because under limited account and without explicit user action, it is hard to add something to IE or firefox. Generally, any software even from established vendor (hopefully not MS or Mozilla) may contain back-door, so it is better to have additional ways of monitoring this. |
|
Kill DRM
@rr.com
 from:
Name Game
| reply to Matt
said by Matt :WTF kind of idiocy is this? Jesus Christ Symantec. Like I said, non-story. If it wasn't BITS, it would be http or FTP or any one of a thousand other methods, like the other 98% of vermin use to update. It is stupid to even be talking about how a virus updates itself after it infects the machine. What would be the point of discussion ? "Gee, I've got XYZ virus. I'll shut off BITS, stay off the internet, block all out-going ports and protocols, and un-plug the network cable so it cannot update itself ? " Fer realz, that will stop it ! - The infected person does not even know they are infected. Their computer just gets slower and slower until they call me to come and fix it. Symantec must pump out progressively impressive sounding stupid shit to stay in the lime-lite, and keep selling those yellow boxes at Wal-Mart. |
|
Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA
1 edit | reply to decadent
Regarding IE 7.0 injection, I think, it is different, because under limited account and without explicit user action, it is hard to add something to IE or firefox. I think you're misreading my suggestion about hijacking IE: it's not about whether you can do a drive-by install of add-in, but whether one process can hijack a trusted-by-firewall process to make these outbound calls.
When doing this kind of hijacking, the badware opens another process, injects a bit of code, and then actually launches a thread inside that process. The other process itself is essentially unaware that this is going on, and if the user has whitelisted this process for access to the internet (IEXPLORE, your IM client, Outlook, etc.), then that access zips right out without a firewall notice.
I suspect that some firewalls may be able to detect this shenanigans (though I don't know how), but I'll notice that Backstealth was a proof of concept that hijacked the firewall process itself to make its outgoing calls.
The ability to do this typically requires admin privs, which of course almost everybody not me has no their desktops (technically, it requires SeDebugPrivilege).
So we have to ask: how can BITS be used to hurt somebody that other mechanisms would have prevented?
First: users running as admin are already screwed if they run badware, so the BITS discussion is a silly one (the badware could just disable the firewall or whitelist itself, or install a rootkit). Admin users running badware are toast from the start.
So we look at non-admin users.
Users with no egress firewall are not harmed by BITS hijacking, because the badware could just do a direct outbound HTTP call to fetch the stuff directly without notice. I suspect that this is the typical case - users run just with whatever comes with Windows.
So we're now considering just users who run their own outbound firewalls, which is a very small minority (though this cohort is probably more clueful than the rest).
In order for BITS to be used to harm a user, a transfer request would have to be made by badware, and it would queue up a transfer request from some other place. BITS would attempt to download this data, bypassing the firewall, and perhaps launch a post-transfer program to complete the infection.
Mitigating factors:
1) The user has to somehow accept the badware.
2) The badware that's making the BITS request has to get past A/V and/or spyware software in the first place. This got on the machine somehow, and it's probably a file.
3) The stuff that was downloaded has to get past A/V as well. Just because BITS is allowed to make outbound requests doesn't mean that the transfer areas are excluded from A/V.
4) The target site providing the downloaded badware has to be available to provide the file, and as soon as this kind of infection is located, it's likely to get shut down sooner or later (much like phishing sites, for good or for bad).
BITS is a useful facility performing a valuable service, and I don't think that it's a bad thing in its own right. It can be abused - as can HTTP - and I don't know off the top of my head how one could rein in this service and still have it be useful.
One method, I suppose, would be to remove BITS from the firewall-exclusion list: then it would pop up every time it was going to make a connection, including to Windows Update. I predict that this would get very old very fast.
If egress firewalls permit fine-grained control, to allow whitelisting of a process to just particular URLs, it would certainly make this easier. One would grant permission to *.microsoft.com URLs from BITS, alarming on everything else.
But if a user can add something to a BITS whitelist, then the badware can too. I don't know how one solves this problem.
It's likely there is a way to make abuse of this useful service more difficult, but after looking at this for a while I'm really not left with any sense that this is any kind of big news as Symantec claims.
Steve
--
Stephen J. Friedl � Unix Wizard � Microsoft Security MVP � Tustin, California USA � my web site |
|
decadent
Premium
join:2002-04-02
Piscataway, NJ
| said by Steve : When doing this kind of hijacking, the badware opens another process, injects a bit of code, and then actually launches a thread inside that process. I agree. But with admin privileges they can modify disk image of IE itself. It seems to be simpler that do code swap with debugger.
said by Steve :I suspect that some firewalls may be able to detect this shenanigans (though I don't know how), but I'll notice that Right. I have noticed too, that Kav 6.0 does not allow its own debugging even for administrator. |
|
anony101
@bellsouth.net
| reply to Kill DRM
said by Kill DRM :said by Matt :WTF kind of idiocy is this? Jesus Christ Symantec. Like I said, non-story. If it wasn't BITS, it would be http or FTP or any one of a thousand other methods, like the other 98% of vermin use to update. It is stupid to even be talking about how a virus updates itself after it infects the machine. What would be the point of discussion ? "Gee, I've got XYZ virus. I'll shut off BITS, stay off the internet, block all out-going ports and protocols, and un-plug the network cable so it cannot update itself ? " Fer realz, that will stop it ! - The infected person does not even know they are infected. Their computer just gets slower and slower until they call me to come and fix it. Symantec must pump out progressively impressive sounding stupid shit to stay in the lime-lite, and keep selling those yellow boxes at Wal-Mart. Who says anonymous users don't have anything valuable to contribute.
Good post Kill DRM. |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
·Optimum Online
·Vonage
| reply to antiphishing
Re: Microsoft update could be infecting computers with Trojan
said by antiphishing :said by La Luna :Microsoft update could be infecting computers with TrojanThat is incorrect: ...the bypass relies on TrojanDownloader:Win32/Jowspry already being present on the system.....The bypass most commonly occurs after a successful social-engineering attempt lures the user into inadvertently running TrojanDownloader:Win32/Jowspry, which then utilizes BITS to download additional malware. Your right , the 'subject line' is a bit misleading so I made the correction. Thanks for pointing it out. I knew you'd see the "error" of your ways!! 
--
~~"As long as America is an infidel enemy, terrorizing it is a duty." Sayed Imam Abdul-Aziz el-Sheriff~~
|
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to Kill DRM
Re: Trojan could be infecting computers through Microsoft update
said by Kill DRM :said by Matt :WTF kind of idiocy is this? Jesus Christ Symantec. Like I said, non-story. If it wasn't BITS, it would be http or FTP or any one of a thousand other methods, like the other 98% of vermin use to update. It is stupid to even be talking about how a virus updates itself after it infects the machine. What would be the point of discussion ? "Gee, I've got XYZ virus. I'll shut off BITS, stay off the internet, block all out-going ports and protocols, and un-plug the network cable so it cannot update itself ? " Fer realz, that will stop it ! - The infected person does not even know they are infected. Their computer just gets slower and slower until they call me to come and fix it. Symantec must pump out progressively impressive sounding stupid shit to stay in the lime-lite, and keep selling those yellow boxes at Wal-Mart. One time with some spyware or antoher i trashed about 5 hosts tht hosted what it dled. Just went in with a ftp client and deleted it all. The idiot author used username and pass and included it in a ini file. Corse im sure there were dozens of other hosts out there for the same crap. I think ftp and http will be the number 1 way for a bit of crapware to dl more crapware. Simply put its the easyest way to get by firewalls by user doing something stupid like clicking allow the connection.
Useing bits is just a way to bypass that click to allow prompt. In the end its really only goign to allow the maleware to do its crap a secound or 3 faster. As if already infected the user has at least one non so called driveby malware install and will happily click away at prompts any ways.
Ive looked for these so called drive by downloads and installs with both firefox and ie on this locked down laptop that well nothing can install on. But it will tell me when somethign tries by error message as it tries.
--
Evil does exist and it has a face to often that face is one that should look on their child with love in their eyes.
Instead only hate exists in those eyes. |
|
ltsnow
join:2006-04-08
Valdosta, GA
·Mediacom
| reply to OZO
Re: Microsoft update could be infecting computers with Trojan
said by OZO :Just turn it off with WU6.bat and have a life Thank you for this amazing batch file. It works so fast, I can't believe it. |
|
