back to article Malware authors subvert Windows Update

Malware authors might be able to subvert components of Windows Update to distribute viruses, security researchers at Symantec warn. Analysis by the security firm reveals that a recent Trojan distributed by email at the end of March 2007 used a Windows component named "BITS" (Background Intelligent Transfer Service) to download …


This topic is closed for new posts.
  1. Rick Taylor

    Closing the gate after the horse has bolted

    Hmmm... surely this isn't a security issue per-se. What the researchers have shown is that *after* a Trojan has successfully got onto a users machine it can use all the facilities of the native environment to do what it wants... and surely we all know this by now!

    In a simillar vein I have 'discovered' that once a Trojan has subverted my machine it can download software from anywhere using any method it wants! Is this *really* research or just headline grabbing?

  2. lansalot

    not-much ado about nothing

    BITS has loads of non-windows-update uses. We use it to distribute our own software updates over slow links between sites.

    Restricting it to 'approved' URLs is a non-starter and would cripple a particularly useful piece of technology.

    And as Rick says, it's only going to download ONCE you've got some malware already running on your PC - something has to initiate the job in the first place (and then mark it complete once finished). What difference does it make at that point how it has been downloaded?

    And that's assuming said first-piece-of-malware didn't kill the firewall, or open-up the firewall to just allow itself to do the downloading, first...

    As long as adding jobs to the queue is admins-only so those with no privileges can't slip through, this shouldn't really be much of an issue.

  3. Rich


    "Using BITS to download malicious files is a clever trick because it bypasses local firewalls..."

    But surely, you have an EXTERNAL firewall protecting your local network from the outside world, no? Even if it's just the one in your ADSL router.

    You DO have (and use) a firewall in your router, no?

  4. Graham Wood

    Missing the point.

    The previous comment about remote firewalls totally misses the point of using a windows service instead of another application.

    The majority of "local" firewalls do application based port blocking - for example your virus may not be able to connect out, whereas IE can.

    Remote firewalls cannot (unless they are very clever/expensive/integrated) filter based on the application making the connection - therefore since most of these downloads are likely to be via standard HTTP connections the firewall will be programmed to let them through.

    Unless of course your machine isn't able to browse the web, at which point it's all moot anyway.

  5. Nick Ryan Silver badge

    What they mean is...

    What they mean is... windows software firewalls "protect" the host system by blocking or allowing particular processes from accessing the Internet, the local network or acting as servers.

    Apart from the idiocy that MS inflicted upon any hope of *ever* securing a windows system by running pretty much everything through "svchost.exe" (block this and nothing works), this is a further way to allow external access that effectively bypasses a firewall. It's no more or less secure than "svchost.exe" however by throttling the bandwidth it's going to be less obvious to an end user that their system has been nobbled.

    An external firewall would still have to filter the connection, and whether this happens as a result of a "normal" Internet HTTP connection or one running through BITS, the job is the same.

  6. Gordon Fecyk

    Next on El Reg: "Malware authors subvert TCP/IP"

    Rick Taylor has it right. This has all of the scare-tactic feel of Steve "Raw Sockets" Gibson's rantings.

    Seems that's all John Leyden writes about these days; Windows permits this, Windows permits that, Windows can hide terrorists under every file and folder. Whatever. Keep unwanted software at bay, and you'll avoid all of this before the fact.

    Of course, the guy that practices safe computing is a nobody. But all hail the jerk who barely survived an attack. (Attributed to Orvile Fudpucker)

  7. William Donelson

    Suspicious Revenue streams: preventing viral infections


    I wonder how we can make more money from our anti-viral software?

    Let's rip this software to pieces, to find holes, then SCARE THE SH*T out of the punters.

    And if they don;'t pay attention, perhaps the method just might slip out of the lab and propogate in the real world...

    No! They wouldn't do that!

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019