Chris Mosby at myITforum.com

Malware Update with Windows Update

When computer programmers and OS designers introduce new functionalities in their products, they should always consider “Who is going to use this?”. Sometimes solutions created for legitimate purposes may turn into dangerous weapons if used in a bad way. Alternate Data Streams (ADS) and Encrypted File System (EFS) are just two well-known examples of good technologies used by malware such as Backdoor.Rustock and Trojan.Linkoptimizer (more here about this topic).

Today the list of good technologies used for bad purposes has a new entry.

In the past week I’ve been discussing with a friend (Frank Boldewin) a curious technique used to download malicious files on a system. Frank analyzed one of the recent Trojans spammed by e-mail in Germany during the end of March, 2007 and he figured out that the Trojan (detected as Downloader) was using an interesting technique to download files which involves a Windows component named “BITS” (Background Intelligent Transfer Service) . BITS is the main service used by Windows Update to download patches and keep the operating system updated. From Wikipedia:

Background Intelligent Transfer Service (BITS) is a component of modern Microsoft Windows operating systems that facilitates the transfer of files between machines. It is most commonly used by recent versions of Windows Update, Windows Server Update Services, and Systems Management Server to deliver software updates to clients, and is also used by Microsoft instant messaging products to transfer files.

It’s an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming network bandwidth. It’s a very nice component and if you consider that it supports HTTP and can be programmed via COM API, it’s the perfect tool to make Windows download anything you want. Unfortunately, this can also include malicious files.

Why does malware use BITS for downloading files? For one simple reason: BITS service is part of the operating system, so it’s trusted and bypasses the local firewall while downloading files. Malwares need to bypass local firewalls but, usually the most common methods found in real samples are intrusive, require process injection or may raise suspicious alarms. The most common methods are:

• run a continuous thread which sends “Yes, accept” messages to the firewall window, which warn users about strange network connections
• shut down firewall service/kill firewall processes
• inject malicious code into Internet Explorer or Svchost processes, which are usually in the trusted applications list of the firewall
• patch network drivers to disable firewall filtering

Using BITS to download malicious files is a clever trick because it bypasses local firewalls, as the download is performed by Windows itself, and does not require suspicious actions for process injection. In fact, the malicious Downloader sample in this case gets access to the BITS component via the COM interface with CoCreateInsance(), and it uses CreateJob() and AddFile() methods to configure the file to download and the destination path.

At the moment there’s no immediate workaround against this type of attack. It’s not easy to check what BITS should download and not download. Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs.

It’s worth mentioning that the BITS download method was already well-documented in the underground and was posted as an “antifirewall loader” example on a Russian forum during the end of 2006.

Many thanks to Frank Boldewin for reporting this.

Posted by Elia Florio on May 10, 2007 05:00 AM

Source: Symantec Security Response Weblog: Malware Update with Windows Update