×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

209 comments

Typical Microsoft response (5, Funny)

Black Parrot (19622) | more than 6 years ago | (#19145227)

From TFA:

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.
That makes me feel so much safer.

Re:Typical Microsoft response (4, Informative)

Silver Sloth (770927) | more than 6 years ago | (#19145307)

Much as I'm no M$ fanboy they do have some justification. The 'new' aspect here is how the virus downloads additional malware, not the initial attack vector.

However, given the time I spend helping my less technical friends clean up their PCs you do definitely have a point!

Re:Typical Microsoft response (3, Interesting)

Ravnen (823845) | more than 6 years ago | (#19145963)

I think the issue is that this can help malware to hide itself on a machine it's already infected, by using this BITS service to silently bypass policy settings. BITS itself runs with 'SYSTEM' privileges (the closest thing to 'root' there is on Windows), but I can't tell from the article if malware run by a normal user can hijack BITS, or if it has to be run by an administrator. In the first case, I'd consider it a security vulnerability, but not in the second.

Re:Typical Microsoft response (4, Funny)

SparkyFlooner (1090661) | more than 6 years ago | (#19145393)

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Re:Typical Microsoft response (1, Funny)

Kynmore (861364) | more than 6 years ago | (#19145555)

Except for the time travel part, I wonder how far off we are from seeing corporate SWAT teams go in for the kill on people who fux up their products, steal insider info, etc. Rise of the Megacorps!

Re:Typical Microsoft response (-1, Flamebait)

ajs318 (655362) | more than 6 years ago | (#19145621)

No, they should have designed their operating system properly in the first place and then they wouldn't need to respond to incidents like this. Changing important system files without the user's say-so ought to be a definite no-no. Microsoft, however, believe that (1) they know what is best for the user (hence there are some things that even an Administrator can't do) and (2) their software is worth more than your data (hence there is no obvious way to make USB sticks read-only for non-Admin users).

Re:Typical Microsoft response (5, Insightful)

Vancorps (746090) | more than 6 years ago | (#19146329)

huh? I mean seriously, huh? What century are you in?

Windows 2000 and later you can make USB sticks read-only for non-admin users through group policy. System file changes do require the user to intervene, even if the user isn't aware system file changes are logged and have been logged since Windows 2000 "self-healing" became prevalent. With XP SP2 things became more obvious and with Vista things are blatantly obvious when there is a system change as the Allow Cancel dialog pops up.

Seriously, why make a point about the operating system being designed improperly if you're going to support it with completely false evidence. You could at least use real evidence like memory management and service dependency problems in the Windows world. It would be real, it is a poorly designed system but despite that they make it work for the vast majority of users out there.

Linux systems are just as susceptible to trojans of this sort. When the user opens something from an untrusted source and blindly clicks like would be required in Vista then almost anything is possible. There are ways to mitigate the risks on both sides but typical setups will still be quite susceptible.

I'm curious what you think Administrator can't do on a Windows system as well, perhaps you mean they don't make potentially dangerous features readily accessible? Perhaps you mean the protected-mode nature of the kernel preventing flashing of internal firmware which also isn't problem? Add in Powershell and I'm thoroughly confused as to what you think administrative users can't do.

Re:Typical Microsoft response (0)

Anonymous Coward | more than 6 years ago | (#19146669)

In Windows land, 98% of users are Admin. Nobody even heard of group policies unless they read some clever OS trick on a popular site. I don't say they are fools, they are just normal users.

Obvious way could be forcing the user to use their computers as non admin, give easy/practical access to that specific setting. It is not very obvious if you tell user to make their own group access policy on a home computer. These people barely checked their disk unless they weren'T instructed to do so.

Let me tell the hard way. Get rid of FAT support on Windows which is the root of entire USB stick problem. Force users to use NTFS which has clue about user rights. Give them hell if they keep using that junk. Let me give example: Apple refuses to index fat formatted drives via spotlight engine. Obviously they don't want to danger their users private data on a filesystem which should be already gone away with floppies. At least they don't want to be part of problem. I don't claim NTFS or HFS+ or anything else than FAT is perfectly secure, I am saying at least they aren't that easy to steal data.

They won't remove fat anytime soon since even high end cameras come with... fat formatted memory! Yes, professionals keep their expensive data on non journaled, impossible to fix, zero security data thanks to Camera/Memory vendors. They also pay $$$ to Microsoft for that junk! Every single USB stick sold is another FAT.

Who forced them this time? Ext2 or even HFS+ filesystem open there along with source. Who forced large USB key vendors? I'd trade NTFS anytime to FAT even on OS X.

Re:Typical Microsoft response (1)

Ornedan (1093745) | more than 6 years ago | (#19146925)

Though I do agree that FAT should be ditched, your argument about other filesystems being inherently more secure is false. The data is no more encrypted by using EXT or NTFS than it is by using FAT. About the only added complication I can see is that the attacker might in some cases need root on the box they use to read the disk - depending on whether the driver used respects access control bits.

Re:Typical Microsoft response (0)

Anonymous Coward | more than 6 years ago | (#19145685)

Oh, you mean like Time Runner (http://imdb.com/title/tt0108342/)

Or perhaps The Time Guardian (http://imdb.com/title/tt0094152/)

Re:Typical Microsoft response (0)

Anonymous Coward | more than 6 years ago | (#19145725)

That sounds about right.

Re:Typical Microsoft response (2, Funny)

HTH NE1 (675604) | more than 6 years ago | (#19146199)

"Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."
They call it ConunDRM.

Re:Typical Microsoft response (0)

Anonymous Coward | more than 6 years ago | (#19146793)

"Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."


Yeah, so they can inflict a little bit of Van Dammage!

Just hope Frank Zito doesn't show up on behalf of the malware guys though...

Re:Typical Microsoft response (1)

vertinox (846076) | more than 6 years ago | (#19146919)

..well...what SHOULD the response have been? "Microsoft has also set up a military strike team that can travel through time, stopping virus and trojan developers before they infect the future."

Sure, but I think it would be more cost effective if they made the OS impossible to have a Trojan in the first place.

Here is my take... A 3rd party application should never... EVER be able to modify anything with the OS unless the user specifically jumps through hoops of fire to allow this. It should not be a cancel or allow type of think, but you specifically had to go and enable a root account and click through at least two prompts and one requiring an admin account password. A 3rd party program should not be able to call this feature automatically, but must be instituted by user action.

The maximum amount of damage any program should be allowed to do is delete your home directory.

The problem here is that this program if it does get run on someone computers has the ability to attack the OS (or getting the OS to something automatically without user intervention), which IMO is a big no no for OS design.

Re:Typical Microsoft response (3, Insightful)

gazbo (517111) | more than 6 years ago | (#19145413)

It's even worse than you think. I've just examined some viruses in the wild, and every last one hijacks standard Windows system calls in order to read and write to the file system. Some have even found a way of hijacking the GDI to display adverts to users.

When will Microsoft patch these vulnerabilities?!

Re:Typical Microsoft response (1)

0racle (667029) | more than 6 years ago | (#19145433)

I bet if you replaced Microsoft with Red Hat and BITS with any local root exploit you'd be saying how much more secure Linux is.

Re:Typical Microsoft response (4, Insightful)

MillionthMonkey (240664) | more than 6 years ago | (#19145521)

No OS is immune to Trojans, especially when they are intentionally installed by clueless users. I saw this article summary and thought a worm was going to arrive today on Windows Update.

Not that it would matter- I always choose "Custom Install" anyway because otherwise I'll end up with Windows Genuine Advantage which I think fits the definition of a Trojan.

Re:Typical Microsoft response (1)

Vancorps (746090) | more than 6 years ago | (#19146427)

Cheers to that, I thought the same thing. In my company I have to authorize all the updates which get pushed to all the workstations so such a thing wouldn't work here even if it were possible. WGA is the sole reason I'm always careful come update day, I always have to make sure its not selected, I wish SMS had a hide forever feature like Automatic update does.

Re:Typical Microsoft response (0)

Anonymous Coward | more than 6 years ago | (#19146509)

Don't blame users. Its the windows operating systems' design that's at fault here.

Re:Typical Microsoft response (2, Insightful)

J0nne (924579) | more than 6 years ago | (#19145879)

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.

Well, Microsoft's response makes a lot of sense. You could trick a user into running sudo trojan.sh on Ubuntu too. After that the user is screwed anyway, as trojan.sh could contain anything, including something that edits /etc/apt/sources.list to the attacker's repo's.

What do you want MS to do to stop this from being possible? If the user runs a random executable as root/admin that modifies the system, he's screwed on any OS. If the executable got onto the system through a security hole, that hole should be plugged.

I don't like MS either, but cut them some slack here...

Re:Typical Microsoft response (0, Redundant)

Phu5ion (838043) | more than 6 years ago | (#19146271)

Yet another "what should their response have been" reply.

MS spokesperson: We have a workaround. Go download and install Linux today!

ZoneAlarm (0)

faloi (738831) | more than 6 years ago | (#19145245)

I would've sworn ZoneAlarm flagged Windows Update attempts. I guess I need to double check when I get home.

Re:ZoneAlarm (1)

Jessta (666101) | more than 6 years ago | (#19146355)

Note: if you have malware installed on your computer with administrator privileges you can't trust your software firewall. You can't trust your anti-virus. You can't trust your OS installation at all.

Yes, you can. (2, Insightful)

DrYak (748999) | more than 6 years ago | (#19146931)

if you have malware installed on your computer with administrator privileges [...] You can't trust your OS installation at all.


No, I don't agree.
No matter what, buggy drivers, compromised machine, spilled coffee, you can always count on your trustworthy old friend, mister Blue-Screen©® !

Your machine has just been updated (5, Funny)

liledevil (1012601) | more than 6 years ago | (#19145273)

14 new virusses have just been installed
please restart your machine to become a zombie

Re:Your machine has just been updated (0)

Anonymous Coward | more than 6 years ago | (#19145717)

Brains...

Re:Your machine has just been updated (4, Funny)

thestudio_bob (894258) | more than 6 years ago | (#19146777)

14 new virusses have just been installed
please restart your machine to become a zombie

Accept or Deny?


This will never get old...

Makes me wonder . . . (1)

SpeedyGonz (771424) | more than 6 years ago | (#19145283)

. . . why didn't this happen before?

Did it happen before and just now somebody found out?

Re:Makes me wonder . . . (2, Insightful)

plover (150551) | more than 6 years ago | (#19145631)

. . . why didn't this happen before? Did it happen before and just now somebody found out?
Well, that's exactly the problem with undisclosed vulnerabilities. You never know if someone has used them before or not. At least publishing a vulnerability will make sure that if someone was exploiting it, they'll be out of business once it's patched.

Re:Makes me wonder . . . (1)

zero_offset (200586) | more than 6 years ago | (#19146205)

RTFA. It doesn't exploit Windows Update.

First you install a trojan. Then the trojan uses a background FTP process (which is also used by Windows Update) to download additional malware -- but your machine is already compromised at that point.

Not one the the better MS Patents... (4, Funny)

ITMagic (683618) | more than 6 years ago | (#19145295)

Ah! One of the many Microshite's patents that didn't manage to make it into the Linux sourcecode. Perhaps Novell could implement this feature?

Correct link (5, Informative)

Random Walk (252043) | more than 6 years ago | (#19145297)

Frank Boldewins site is http://www.reconstructer.org/ [reconstructer.org], not http://www.reconstruction.org/ [reconstruction.org].

Re:Correct link (0)

Anonymous Coward | more than 6 years ago | (#19145487)

Frank Boldewins site is http://www.reconstructer.org/ [reconstructer.org], not http://www.reconstruction.org/ [reconstruction.org].
What's worse? A weird Christian page or one that consists only of Flash?!

Re:Correct link (1)

morgan_greywolf (835522) | more than 6 years ago | (#19145769)

What's worse? A weird Christian page or one that consists only of Flash?!


The weird Christian page; unless you happen to be running Linux x64.

Makes perfect sense (3, Insightful)

Megaweapon (25185) | more than 6 years ago | (#19145301)

With a lot of people doing auto-updates might as well target what will be the predictable weak link. I'd bet some people have their auto-update run more often then their virus scanners anways.

Re:Makes perfect sense (0)

Ilgaz (86384) | more than 6 years ago | (#19146313)

It is a very bad thing. The people Microsoft could hardly manage to enable auto updates via several nag tactics will disable their setting now. All the framework, digital signatures means nothing.

I really hope MS fires who is responsible for that glitch.I enabled auto updates on every single non technical users Windows machine I know. Now they will get latest and greatest spyware even with auto resume options and... version checking!

Security quiz linked from TFA (5, Funny)

AmIAnAi (975049) | more than 6 years ago | (#19145311)

Linked off TFA is a quiz checking readers' knowledge of computer security issues. I just love the first answer for question 10:

What is a DDoS attack?

A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux

That's one botnet I'd happily join

Re:Security quiz linked from TFA (1)

iainl (136759) | more than 6 years ago | (#19145347)

It's a bloody good job the BBC are big enough to withstand a slashdotting, otherwise that would be looking a bit foolish...

Re:Security quiz linked from TFA (0)

Anonymous Coward | more than 6 years ago | (#19145729)

What is a DDos Attack?
In layman's terms
If your under a DDOs attack..
You keep on Knock-in but-cha can't get in

Re:Security quiz linked from TFA (1)

mowall (865642) | more than 6 years ago | (#19146973)

What is a DDoS attack?

A: Guerilla activism by open source software advocates in which they uninstall Windows on a PC and replace it with Linux
Ah, that'll be a "Die Dreadful Operating System!" attack.

Windows is safe! (5, Funny)

Anonymous Coward | more than 6 years ago | (#19145317)

Hi,
I have my own awesome blog whose url I certainly don't need to post here since I expect you all to know it already.

I just talked with my friends at Microsoft and they told me that

"Windows is safe!"

and it seems ridiculous to care about such small issues when 9/11 was only 6 years ago. You people should really step aside and look at the things from another perspective.

Maybe from above like the Lord does.

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.

Bill and Melinda think of the children. Do YOU?

Re: Windows is safe! (1)

Black Parrot (19622) | more than 6 years ago | (#19145401)

I rather go to church and pray to the Lord for less terrorists than being part in this smear campain against the blessed world leader of IT.
Surely it's not too much trouble to pray that your Windows box will be secure too, while you're at it.

Re: Windows is safe! (2, Funny)

Anonymous Coward | more than 6 years ago | (#19145851)

Well, He might be omnipotent enough to create logical fallacies and Creationists, but that doesn't mean He's powerful enough to fix Windows.

Re:Windows is safe! (1)

ajs318 (655362) | more than 6 years ago | (#19145673)

The Gateses are atheists (proof that someone can't be all bad). Your prayers aren't going to make any difference to them.

After having read TFA... (0, Offtopic)

akarnid (591191) | more than 6 years ago | (#19145329)

I've come to the conclusion that reformed ministers in Japan do moonlight as malware/bug/virus hunters. Too bad I couldn't find anything on his site tho :)

A little overstated (3, Informative)

140Mandak262Jamuna (970587) | more than 6 years ago | (#19145429)

Yes, it makes life a little easy for the hackers, after they have compromised your system. But all users whitelist their browsers in their firewall software to make outbound connections. So in what way is it more dangerous than the virus using IE (or Firefox for that matter) to download more bad stuff into the computer? Once the machine is compromised, it can use even ftp to download stuff. Dont blame ftp or Firefox or IE. Blame the OS that allows the machine to be compromised so easily.

Re:A little overstated (1)

0123456 (636235) | more than 6 years ago | (#19145481)

"But all users whitelist their browsers in their firewall software to make outbound connections."

Speak for yourself. I have Zonealarm block every IE connection unless I specifically allow it... no way will I trust that piece of crap to go talking to random web sites without permission.

Re:A little overstated (1)

140Mandak262Jamuna (970587) | more than 6 years ago | (#19145971)

Well, have you whitelisted Firefox? Or do you click "allow" everytime you launch the browser? Looks like you are paranoid enough to avoid trojans. But if you do get such a malware, and if it uses Firefox to download more stuff, would you blame Firefox?

Re:A little overstated (1)

mhall119 (1035984) | more than 6 years ago | (#19146589)

Presumably even if you have Firefox whitelisted and a trojan uses it to download more malware, that malware can only be run with user permissions, not "System" permissions like BITS has. Therefore the amount of damage Firefox can do on a decently designed OS is limited to the damage a non-privileged user account can do, and no more.

Re:A little overstated (1)

CerebusUS (21051) | more than 6 years ago | (#19146801)

BITS doesn't do installs, it only does rate-limited transfers. Malware downloaded by BITS would still need higher-level privs to install into the system. All BITS does is avoid the "XXX program is trying to use the internet" message that windows throws up.

Re:A little overstated (1)

jrumney (197329) | more than 6 years ago | (#19145639)

My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.

Re:A little overstated (1)

140Mandak262Jamuna (970587) | more than 6 years ago | (#19146035)

My guess is that it can overwrite protected system files, and gain kernel level privileges using this attack vector.

But it is a conjecture or speculation on your part. It is possible that MSFT has given more privileges to BITS over other parts and a privelege escalation vulnerability could be found in future. But as of now, malware using windows downloader is no different from malware using firefox, Infernal Exploder or plain vanilla ftp.

WGA (3, Funny)

Anonymous Coward | more than 6 years ago | (#19145431)

The good news is that it only installs the malware if you're running Genuine windows.

Manual updates at risk? (1)

Urban Garlic (447282) | more than 6 years ago | (#19145443)

It sounds from the article (yes, I read it, no, I'm not new here...) like surfing to a malicious website will cause this BITS background downloader to then pull in additional firewall-bypassing malware right at that time.

If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.

Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm surfing as a low-priority user and hit this malware, can it still make BITS do the more-malware download?

Re:Manual updates at risk? (0)

Anonymous Coward | more than 6 years ago | (#19145661)

I don't believe you RTFA as it specifically states "The bypass relies on [Jowspry] already being present on the system; it is not an attack vector for initial infection.

The bypass most commonly occurs after a successful social engineering attempt lures the user into inadvertently running [Jowspry], which then utilizes BITS to download additional malware.
"

HTF did you interpret that as "surfing to a malicious website will cause this BITS background downloader to then pull in additional firewall-bypassing malware"??

In any case, with interpretations like that, you certainly fit right in with the rest of the /. crowd...

-AC

Re:Manual updates at risk? (1)

EvilGrin666 (457869) | more than 6 years ago | (#19145765)

If I only ever do manual updates on windows, by manually surfing to windowsupdate.com, am I at risk for this? It's not actually necessary to run BITS in order to keep a Windows system up to date.
Manual downloads from Windows update use BITs. Check %SYSTEMROOT%\WindowsUpdate.log while doing an update if your curious.

Also, it's not clear from TFA whether this can be stopped by privilege separation -- if I'm surfing as a low-priority user and hit this malware, can it still make BITS do the more-malware download?
BITs runs as a service under the system account. It can do whatever it wants. However it needs to be woken up to do it, as it's default service state is set as 'Manual'.

Re:Manual updates at risk? (2, Insightful)

Copperhamster (1031604) | more than 6 years ago | (#19146905)

BITS is just yet another way of delivering software to your machine. It's supposed to allow you to download stuff like updates without hogging all your bandwidth. Works well on cable/dsl. Dial up or ISDN, not so much. There are other companies that use BITS for various other applications, for example Sony OE uses it when they are rolling out a big big patch in SW: Galaxies to roll parts of it out early, in theory while you are playing without impacting your game. Again, on Dial up or ISDN that doesn't work so well, so they let you turn it off. Imho it was only a matter of time before BITS was hijacked for this purpose. I'm not saying I saw this coming, I really hadn't thought about it, but it's just another vector for malware to get to the internet and download software to your machine. A vector that is normally 'trusted'.

Again, the kicker is that (as I understand things) there has to already be some program (malware) on your computer to request additional malware through BITS. That malware could conceivably be a Java or ActiveX program running in your browser, or something an exploit causes to be dropped and run. BITS is not an attack vector in and of itself at this time.

I imagine Vista would probably pop up a confirmation window about allowing something access to BITS if you were running as a low-privilage user, but I'm not sure.

Let me be the first to say... (5, Funny)

SadGeekHermit (1077125) | more than 6 years ago | (#19145461)

If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

Me, I'm relaxed and enjoying a soda.

Re:Let me be the first to say... (1)

value_added (719364) | more than 6 years ago | (#19145935)

If you were all using Linux or OS/X, you could watch this catastrophe with detached amusement instead of butt-clenching fear.

Ok, so I feel detached and amused, but I'm still left wondering why it is that Windows users always seem to have all the new neato features.

From Symantec's Malware Update with Windows Update [symantec.com]

It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth. It's a very nice component and if you consider that it supports HTTP and can be programmed via COM API, it's the perfect tool to make Windows download anything you want.

Re:Let me be the first to say... (1)

Dragonslicer (991472) | more than 6 years ago | (#19146591)

It's an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth
Is there anything else to say besides "Uhhhh...."?

Snort (2, Interesting)

anss123 (985305) | more than 6 years ago | (#19146373)

I'm sitting here on Windows chuckling over so called geeks that don't understand the issue at hand. If a computer is compromised, then the software firewall can be disabled. The BITS stream that comes out of the comp can be emulated by software on Linux and Mac OS, to the same effect as Windows.

The "news" here is that there is software capable of doing this, not that it can't be done. True, BITS is a protocol created to work around firewalls, but it is hardly the only protocol engineered to do that.

Oh, and Mac's suck because they crash all the time. *ducks*

Re:Snort (1)

SadGeekHermit (1077125) | more than 6 years ago | (#19146513)

UUUUUUUHHHHH, not so fast there, professor.

I understand the issue at hand perfectly. Microsoft uses the BITS protocol to manage Windows Update downloads and work around firewalls. A trojan that gets ahold of your windows system can use the BITS system to implement updates and installs of malware, thus making malware maintenance as convenient as Windows Update itself.

So, not only is your Windows box easy to hose because it's got so many critical vulnerabilities and Microsoft (not being open source) is the only source for patches and updates, but once you're hosed, your friendly neighborhood hacker can use WINDOWS UPDATE ITSELF to maintain his "software"!

Again, I say: if you were using Linux or OS/X you could enjoy all this with the same detached amusement that I do.

As you were... :)

Overblown (4, Informative)

MrNonchalant (767683) | more than 6 years ago | (#19145517)

It should be pointed out that malicious code needs to already be running on the host machine to use this.

Re:Overblown (1)

Volante3192 (953645) | more than 6 years ago | (#19145867)

This is Windows we're talking about though.

Sure, easy attack on Windows here, but I'd think given a couple months the odds are in the virus writer's favour.

Can you safely disable BITS? (3, Interesting)

guanxi (216397) | more than 6 years ago | (#19145571)

I've considered disabling the BITS service before (i.e, via services.msc), especially since I usually run Windows Update manually. But I read hints that it may break other applications, including from Microsoft's documenation [microsoft.com]:

You should not set the Startup Type to Disabled. Disabling BITS may break applications, such as Windows Update, that rely on BITS to transfer files.


However, I've never found anything more specific -- does anyone know the consequences of disabling BITS?

Re:Can you safely disable BITS? (1)

figleaf (672550) | more than 6 years ago | (#19145669)

Why don't you also go ahead and disable HTTP also. Surely malware can also use HTTP.

I have it disabled on all my Windows machines... (1)

mario_grgic (515333) | more than 6 years ago | (#19145889)

and everything except automatic updates works (which is what I want). However, to manually update windows, you still must enable automatic updates, since updater ActiveX control checks is the service is set to run automatically and actually running.

Automatic Updates service depends on BITS, so you have to start both and change their startup type to Automatic, at least temporarily until you finish with the manual updates.

I have (an MKS) Korn Shell script that does this before I do manual updates and sets them back to disabled after the update.

Re:Can you safely disable BITS? (1)

dknj (441802) | more than 6 years ago | (#19146393)

no let me stop this stupid flow of ideas. you can stop or disable BITS, but it won't do you any good. the malware must be installed first to take advantage of it, so unless you actually remote BITS from your system (not likely) malware can just contact the service control manager and reenable the bits service (run sc from the command prompt or read up on WMI if you want to learn more about controlling services from scripts/batch files).

of course the malware could also just use your favorite networking stack and contact its remote server via HTTP anyway.. so this article is a whole lot of hoopla about nothing. can we move on now?

Nice work! A program to infect an already ... (2, Funny)

figleaf (672550) | more than 6 years ago | (#19145577)

...infected machine!! Man who knew that would be even possible?

and yet... (1)

dAzED1 (33635) | more than 6 years ago | (#19145601)

and yet, people still believe this crap [slashdot.org] - that MS is only hit far more often per install because it's a more tempting target due to numbers alone, not lack of security as part of the design process.

Eh. What can ya do.

Re:and yet... (4, Insightful)

drinkypoo (153816) | more than 6 years ago | (#19145735)

How is this Microsoft's fault? It's a trojan. The system has already been compromised. Hey, if I can get you to run my shell script as root, then I can add my own sources to your sources.list and use apt to install my rootkit! Debian must be insecure!!@#!#!#!

Re:and yet... (2, Insightful)

ajs318 (655362) | more than 6 years ago | (#19146237)

Yeah, cos Apache HTTPD powers 2/3 of all web servers (and about half the rest are based on bastardised versions of the Apache codebase or its NCSA predecessor), and gets 2/3 of all web server exploits directed at it.

Oh, wait, that's bollocks. And so is your argument.

Microsoft's Makes a Buck, However (5, Funny)

VE3OGG (1034632) | more than 6 years ago | (#19145667)

Dear Sirs,

Your Trojan, named 1337-5ki11z, violates 387 Microsoft patents, included patent 666-1345-876-666 ("screwing the user over"). We do not wish to actually pursue legal action, but would rather license our Windows Update APIs to you for the paltry sum of 100.00 (per infection).

Thank You

Kindly,

The MS Legal Eagles

Story is innacurate (5, Insightful)

FooHentai (624583) | more than 6 years ago | (#19145703)

Its not really Windows Update that's being used in this exploit, its the Background Intelligent Transfer Service which, in a nutshell, is a service that downdaloads data to your PC while minimising disruption to other network activity i.e. surfing the net, gaming, or downloading other files. Its a built-in feature of Windows XP but has only been implemented once or twice.

Windows update makes use of the BITS service. Malware can make use of the BITS service. Its not logical to then say that Malware is exploiting Windows update. Any more than an attack that utilised Java would be exploiting Azureus (A java application).

The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net. This same exploit is true of the JVM too.

A solution to the problem might be to instance such services. But by doing that it sort of renders them not services anymore.

So eh, mark my stats +1 pedantry, but to perpetuate this as a Windows Update exploit isn't accurate.

Re:Story is innacurate (1)

ajs318 (655362) | more than 6 years ago | (#19146713)

The reason malware utilising BITS is a problem is because with any application-level firewall, permission for BITS to access the net is already granted and so unlike a regular trojan, the firewall won't spit a potentially suspicious permission request up when it tries to download more malware from the 'net.
And this is what's wrong with Windows' security model.

Firewalls shouldn't be caring about which programs want access to the outside world. Firewalls should be caring about which bit of the outside world programs are trying to access -- and which bits of the outside world are trying to access the computer the firewall is protecting. And the decision of what to allow through the firewall or not should be taken by, or at least on the say-so of, a human user with administrative privileges.

All this basically stems from Microsoft's arrogant assumption that they know what is best for users.

Re:Story is innacurate (1)

element-o.p. (939033) | more than 6 years ago | (#19146943)

...a service that downdaloads data to your PC...

Aw, man...now I've got Windows envy. I wish my Linux PC could downdaload data! (sorry, I couldn't resist!) :)

Nothing to see here, move along. (1)

TheRealAnonymousCowa (1056190) | more than 6 years ago | (#19145739)

Actually, once a system is infected with a Trojan, it can open up avenues for other attacks. This can happen to any machine, regardless of whether it's running Windows or Linux or OSX.

I've always been curious... (2, Interesting)

Belial6 (794905) | more than 6 years ago | (#19145987)

I've always been curious (not enough to do the research I guess) what kind of security the windows update does to prevent someone from using control of DNS and or routers to get windows update to install malware. Given that people often use DNS and routers that the cannot really trust, is there something that prevents a bad guy from just redirecting all traffic that is attempting to hit MS's update site to their their own server that is set up to look like it is MS's update site? Given how many people have their laptops set up to do automatic updates, I would think that it would be easy to just take a loptop to a coffee shop, and watch as other patrons 'update' from your access point.

Windows Virus Updates!! (1)

InfiniteSingularity (1095799) | more than 6 years ago | (#19145999)

Are you still infected with those old fashioned beagle or Zotob viruses? Now, with our new Windows Virus Updates, you no longer have to worry about being the loser with old variants on your machine. You will get the newest, most zombie-rific viruses the wild web has to offer. All for, you guessed it, FREE. Windows will automatically update your viruses to the most virulent forms of code out there. Be sure and upgrade TODAY!!

Had Enough (1)

Nom du Keyboard (633989) | more than 6 years ago | (#19146213)

I've had more than enough with malware writers. They are absolutely useless to polite society. 10 years in jail and a life-time ban against ever touching another computer on the first conviction.

Completely misleading (5, Informative)

cooldev (204270) | more than 6 years ago | (#19146229)

BITS stands for "Background Intelligent Transfer Service" and is simply a way to download files using idle bandwith. It's fully documented in MSDN, see http://msdn2.microsoft.com/en-us/library/aa362708. aspx [microsoft.com], and among many things it's used by some browser downloading plugins (similar to DownloadThemAll) that enhance downloading of large files. It's not just used by Windows Update.

Do we need additional articles to state that a malicious program on a compromised machine could use FTP to download additional files? Or HTTP? Or BitTorrent? Or roll their own protocol?

Based on the article, it sounds like the only concern is that because BITS is a service (daemon in the Unix world), it means that firewalls or malware detection tools that attempt to block outgoing requests (which most don't; they block listening ports) may not currently detect this because it's not the malicious .EXE itself that's opening a port; it calls into BITS, which opens the port. However, the app still has to use a public API to instantiate the BITS object, so there's no reason such a program couldn't hook that as well.

Unfortunately the article summary (and headline of the BBC article!) completely misrepresents the issue and blows it way out of proportion. They are not Hijacking Windows Update. They're using a generic well-documented downloading service that also happens to be used by Windows Update simply because it enables WU to download updates without gobbling up all your bandwidth.

Windows Firewall model suxors (1)

JohnQPublic (158027) | more than 6 years ago | (#19146263)

The problem isn't BITS. The problem is the idea that BITS is "trusted". Should you trust every FTP server your computer connects to? Every HTTP server? Of course not. Then why BITS?

The Windows firewall model of "trust this program" is inherently incorrect, and that's the real source of this issue. I really hate to say it, but Internet Explorer gets this right - programs aren't trusted, places you can connect to are trusted.

More Symantec Baloney (2)

ThinkFr33ly (902481) | more than 6 years ago | (#19146637)

Singling out "BITS" is stupid. The exact same thing can be done with virtually any service or application that is allowed to pass through the local outgoing software firewall. As long as the software has some kind of programmatic interface, it can easily be used to bypass these firewalls.

I wrote a proof of concept application that bypassed all of the major outgoing software firewalls (BlackIce, Zonealarm, McAfee, Symantec) by utilizing the COM interfaces for Internet Explorer and funneling all my requests through it. This is almost impossible to detect. Even better, I wrote this app in freakin' VB!

The real problem is that local outgoing software firewalls simply don't work in an environment where all the users are admin. Once the machine is compromised, it's compromised. No number of software defenses are going to help. This includes, by the way, Symantec's expensive and incredibly crappy products. These products are there to make users feel secure, not actually make them secure.

Remember WordMasters from grade school? You know, the analogy test they used to give every once in a while. Here is an analogy for you:

Symantec is to computer security as the Bush Administration is to homeland security.

They do their best to scare the crap out of people in an attempt to get them to buy their software... or vote for their party. Don't trust either of them and you'll be better off.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...