Windows Update attacks: Ensuring malware-free downloads

Listen to this tip Download Michael Cobb's Windows Update malware advice to your PC or favorite MP3 player.

Fortunately, the situation is nowhere near as serious as it has been reported. Let me explain why. To interact with the Windows Update Web site, a Windows computer uses the Background Intelligent Transfer Service (BITS). BITS runs in the background and draws on unused bandwidth to download patches and updates. It also facilitates file transfers for Windows Server Update Services, Systems Management Server and Microsoft instant messaging products. Although the service wasn't originally part of Windows, it was included in Windows XP Service Pack 1, Windows 2000 Service Pack 3 and is now part of the Windows operating system.

As a current component of the OS, the built-in Windows firewall allows BITS to send and receive data via the Internet without triggering any warnings. By hijacking this service, malware authors can quickly bypass one of their primary obstacles when attempting to exploit Windows. Bypassing the firewall's filters enables the installation of malicious files without alerting users that anything is wrong. Even expensive network-based firewalls would struggle to distinguish what BITS should or shouldn't download. The low bandwidth and asynchronous nature of BITS also makes it difficult for firewalls to detect any malicious activity.

More information Read how the bad guys are using Windows Update to push malware. Learn how you can clean up an infected PC with a USB flash or thumb drive.

So why is such abuse of the useful technology no cause for alarm? The attack is not actually caused by a flaw in Windows Update. Attackers have not loaded malicious files onto the Microsoft Web site for BITS to download. For the attack to work, a user must first download Win32/Jowspry and execute it. Only then will the Trojan software be able to use BITS to install additional malware. To use BITS maliciously, the Trojan needs to be present on a user's computer. BITS is not an attack vector for the initial infection; it is just the mechanism that the malware uses to bypass firewall technologies once it has installed itself.

The best way to combat the Windows Update attack is to reinforce awareness among users, educating them on security policies that deal with messages and files from unknown or unexpected sources. This will reduce the likelihood of users downloading Jowspry or other malicious programs that infect a PC. Some experts have suggested restricting BITS access to approved or trusted URLs. Since many third-party software vendors use it to distribute software updates, however, such limits would be a very cumbersome workaround, one that requires the careful maintenance of a whitelist of approved URLs.

Although the attack may seem to have a simple fix, the Windows Update strike does highlight an increasing sophistication of attackers and their growing, in-depth understanding of the Windows operating system.

About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Tracing malware's steps with RE:Trace Worst practices: Learning from bad security tips Worst practices: Encryption conniptions Stopping malware in its tracks Built-in Windows commands to determine if a system has been hacked Viruses, Worms and Other Malware New defenses for automated SQL injection attacks Information security book excerpts and reviews Yahoo, McAfee to warn users of dangerous websites Botnets and ethics Interview: Jim Kirkhope of NCR Trojan downloaders, droppers skyrocket, Microsoft says New phishing, Zeus Trojan technique spreads crimeware Researchers uncover tool used to infect websites, spread malware RSA 2008: Defeating botnets Malware found on HP ProLiant server USB keys Patch Management Database patch denial: How 'critical' are Oracle's CPUs? Researchers defend study on patch distribution insecurities Microsoft patches Bluetooth, Internet Explorer flaws Is attack code valuable for vulnerabilities or just a publicity stunt? Information security book excerpts and reviews Microsoft Jet Database Engine update could be issue for admins Inside MSRC: Microsoft explains Word, Publisher flaws Oracle fixes 41 flaws in April CPU Researchers warily watch for Microsoft GDI exploits Oracle preps CPU for 41 flaws RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) Mytob  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.