A Symantec researcher said that Microsoft Update, which includes a component called Background Intelligent Transfer Service (BITS), could potentially be used by hackers to bypass security measures and attack users' PCs. BITS runs in the background on a Windows PC as an asynchronous download service for patch updates.
A Microsoft spokesperson confirmed to internetnews.com that Microsoft is aware of public reports that BITS is being used by TrojanDownloader:Win32/Jowspry to bypass policy-based firewalls in order to install additional malware.
According to Microsoft, the bypass relies on TrojanDownloader:Win32/Jowspry already being present on the system; it is not an attack vector for initial infection. The bypass most commonly occurs after a successful social-engineering attempt lures the user into inadvertently running TrojanDownloader:Win32/Jowspry, which then utilizes BITS to download additional malware.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i Microsoft recommends that any users who believe they are affected by TrojanDownloader:Win32/Jowspry visit Windows Live OneCare safety scanner to scan their systems, determine if they are infected, and clean all currently known variants of this Trojan.
Using BITS to download malicious files is a clever trick because it bypasses local firewalls, as the download is performed by Windows itself, and does not require suspicious actions for process injection, Symantec researcher Elia Florio wrote on the Symantec Security Response blog.
According to Florio, there is no workaround for a BITS-based attack and it is difficult to manage what should not be downloaded by BITS.
"Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs," Florio wrote.
Though the Symantec researcher is now bringing this issue to light, Florio said the hack community has been aware of the potential risk of BITS since it was cited as an "antifirewall loader" technique on a Russian forum at the end of 2006.
Florio's allegation comes as Microsoft wraps up its fifth Blue Hat Security conference. Blue Hat is Microsoft's closed-door security conference where the company invites security researchers up to its campus to discuss the latest bleeding-edge security research.