Malware 'hijacks Windows Updates'

**Pixalo** · 16-05-2007, 08:50

Virus writers may be able to smuggle malicious files onto a computer using Microsoft's security patch updates, experts say.

At least one program is in circulation that can hijack a key component of Windows Update to introduce malicious software that could be used to hijack a computer.

The method bypasses users' firewall, allowing files to download undetected.

Microsoft said it was aware of reports of the attack.

Security expert Frank Boldewin said on his website reconstructer.org that he had recently noticed an e-mailed trojan - a type of program or message that looks benign but conceals a malicious payload - which was exploiting a Windows program known as the Background Intelligent Transfer Service (BITS).

BITS is used by Microsoft to download security patches and updates to Windows machines. Because it is part of the operating system, it is able to bypass local firewalls while it downloads.

Mr Boldewin found the trojan was piggybacking on BITS to download malicious files. He published "proof of concept" code to illustrate how it went about it.

Not suspicious

After analysing this code Elia Florio, a researcher at security firm Symantec, wrote in her blog: "Using BITS to download malicious files is a clever trick because it bypasses local firewalls, as the download is performed by Windows itself, and does not require suspicious actions for process injection."

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

A spokesperson for the software giant said: "Microsoft is aware of public reports that Background Intelligent Transfer Service (BITS) is being used by TrojanDownloader:Win32/Jowspry to bypass policy-based firewalls in order to install additional malware.

"The bypass relies on [Jowspry] already being present on the system; it is not an attack vector for initial infection.

"The bypass most commonly occurs after a successful social engineering attempt lures the user into inadvertently running [Jowspry], which then utilizes BITS to download additional malware."

Security consultant Robert Schifreen told the BBC News website: "In some ways it is immaterial that it is using BITS.

"The simple message is not to get infected in the first place. Don't click on any links or attachments unless you are certain they are safe and use anti-virus software."

Microsoft recommended that anybody who thought they may have been infected with the Jowspry trojan should visit Windows Live OneCare safety scanner.

**Angela** · 16-05-2007, 11:46

Anyone had any experience or suffered as a result of this?

JMitchell · 16-05-2007, 14:07

Very clever, I can see this becoming a problem for casual home users. No matter how many times you are told, people always click on stuff

HHRC · 16-05-2007, 15:22

I ran the last windows update and i had Trojan attacks as a result, but Comodo firewall detected them and NOD32 removed them. Also, i use Firefox which is not susceptible to the same browser vulnerabilities as IE6/7 is.

**Markulous** · 16-05-2007, 15:44

Well, I (and those I deal with) never use Windoze Update for just this reason (well, OK, to avoid the probs with both the M$ site and the DLL errors introduced by their updates).

Use Autopatcher, a freeware consolidation of all the updates (which have been tried and tested, unlike M$'s poor QC). So, we all "suffer" from having security updates a little late by a few weeks but they all work by then (and firewall and AV protects the installations in the meantime!)

Dave Canon · 22-05-2007, 09:54

I think the best approach is to manage the risks as you cannot avoid them. I use Windows and Norton on-line updates so I do keep my computer up-to-date. I have all the generally recommended security measures for a home computer. I also regularly back up all of my data. So far this has been fine with no virus attacks getting through the defences. I have had two serious disk faults but lost no data due to the back ups.

In contrast, I have two friends who are so concerned about security that they will not even connect to the internet but both have recently suffered from fraud (debit card fraud in one case and credit card fraud in the other).

16-05-2007, 08:50	#1 (permalink)
Pixalo Pixalo Crew Join Date: Jun 2006 Posts: 2,601	Malware 'hijacks Windows Updates' Virus writers may be able to smuggle malicious files onto a computer using Microsoft's security patch updates, experts say. At least one program is in circulation that can hijack a key component of Windows Update to introduce malicious software that could be used to hijack a computer. The method bypasses users' firewall, allowing files to download undetected. Microsoft said it was aware of reports of the attack. Security expert Frank Boldewin said on his website reconstructer.org that he had recently noticed an e-mailed trojan - a type of program or message that looks benign but conceals a malicious payload - which was exploiting a Windows program known as the Background Intelligent Transfer Service (BITS). BITS is used by Microsoft to download security patches and updates to Windows machines. Because it is part of the operating system, it is able to bypass local firewalls while it downloads. Mr Boldewin found the trojan was piggybacking on BITS to download malicious files. He published "proof of concept" code to illustrate how it went about it. Not suspicious After analysing this code Elia Florio, a researcher at security firm Symantec, wrote in her blog: "Using BITS to download malicious files is a clever trick because it bypasses local firewalls, as the download is performed by Windows itself, and does not require suspicious actions for process injection." However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered. A spokesperson for the software giant said: "Microsoft is aware of public reports that Background Intelligent Transfer Service (BITS) is being used by TrojanDownloader:Win32/Jowspry to bypass policy-based firewalls in order to install additional malware. "The bypass relies on [Jowspry] already being present on the system; it is not an attack vector for initial infection. "The bypass most commonly occurs after a successful social engineering attempt lures the user into inadvertently running [Jowspry], which then utilizes BITS to download additional malware." Security consultant Robert Schifreen told the BBC News website: "In some ways it is immaterial that it is using BITS. "The simple message is not to get infected in the first place. Don't click on any links or attachments unless you are certain they are safe and use anti-virus software." Microsoft recommended that anybody who thought they may have been infected with the Jowspry trojan should visit Windows Live OneCare safety scanner. __________________ Photography Equipment Reviews \| Free photography gallery for every member

16-05-2007, 11:46	#2 (permalink)
Angela Pixalo Crew Join Date: Aug 2006 Location: Wimbledon Posts: 5,851	Re: Malware 'hijacks Windows Updates' Anyone had any experience or suffered as a result of this?

16-05-2007, 14:07	#3 (permalink)
JMitchell Feet under the table Join Date: Jan 2007 Location: London, England Posts: 3,520	Re: Malware 'hijacks Windows Updates' Very clever, I can see this becoming a problem for casual home users. No matter how many times you are told, people always click on stuff

16-05-2007, 15:22	#4 (permalink)
HHRC Getting Comfy Join Date: May 2007 Posts: 170	Re: Malware 'hijacks Windows Updates' I ran the last windows update and i had Trojan attacks as a result, but Comodo firewall detected them and NOD32 removed them. Also, i use Firefox which is not susceptible to the same browser vulnerabilities as IE6/7 is.

16-05-2007, 15:44	#5 (permalink)
Markulous Pixalo Crew Join Date: Jul 2006 Location: Peak District Posts: 9,691	Re: Malware 'hijacks Windows Updates' Well, I (and those I deal with) never use Windoze Update for just this reason (well, OK, to avoid the probs with both the M$ site and the DLL errors introduced by their updates). Use Autopatcher, a freeware consolidation of all the updates (which have been tried and tested, unlike M$'s poor QC). So, we all "suffer" from having security updates a little late by a few weeks but they all work by then (and firewall and AV protects the installations in the meantime!)

22-05-2007, 09:54	#6 (permalink)
Dave Canon Forum Regular Join Date: Nov 2006 Location: Cheltenham Posts: 505	Re: Malware 'hijacks Windows Updates' I think the best approach is to manage the risks as you cannot avoid them. I use Windows and Norton on-line updates so I do keep my computer up-to-date. I have all the generally recommended security measures for a home computer. I also regularly back up all of my data. So far this has been fine with no virus attacks getting through the defences. I have had two serious disk faults but lost no data due to the back ups. In contrast, I have two friends who are so concerned about security that they will not even connect to the internet but both have recently suffered from fraud (debit card fraud in one case and credit card fraud in the other). __________________ Regards Dave http://www.cheltenhamcameraclub.co.uk/

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Nikon Software Updates	Dabhand16	News	0	27-05-2007 09:40
Security Updates	jockwav	Computer hardware, software, networking and internet	1	16-12-2006 20:04
Firmware Updates ???	Sparhawk	General photography questions and answers	7	27-09-2006 09:40