Fortunately, the situation is nowhere near as serious as it has been reported. Let me explain why. To interact with the Windows Update Web site, a Windows computer uses the Background Intelligent Transfer Service (BITS). BITS runs in the background and draws on unused bandwidth to download patches and updates. It also facilitates file transfers for Windows Server Update Services, Systems Management Server and Microsoft instant messaging products. Although the service wasn't originally part of Windows, it was included in Windows XP Service Pack 1, Windows 2000 Service Pack 3 and is now part of the Windows operating system.
As a current component of the OS, the built-in Windows firewall allows BITS to send and receive data via the Internet without triggering any warnings. By hijacking this service, malware authors can quickly bypass one of their primary obstacles when attempting to exploit Windows. Bypassing the firewall's filters enables the installation of malicious files without alerting users that anything is wrong. Even expensive network-based firewalls would struggle to distinguish what BITS should or shouldn't download. The low bandwidth and asynchronous nature of BITS also makes it difficult for firewalls to detect any malicious activity.
So why is such abuse of the useful technology no cause for alarm? The attack is not actually caused by a flaw in Windows Update. Attackers have not loaded malicious files onto the Microsoft Web site for BITS to download. For the attack to work, a user must first download Win32/Jowspry and execute it. Only then will the Trojan software be able to use BITS to install additional malware. To use BITS maliciously, the Trojan needs to be present on a user's computer. BITS is not an attack vector for the initial infection; it is just the mechanism that the malware uses to bypass firewall technologies once it has installed itself.
The best way to combat the Windows Update attack is to reinforce awareness among users, educating them on security policies that deal with messages and files from unknown or unexpected sources. This will reduce the likelihood of users downloading Jowspry or other malicious programs that infect a PC. Some experts have suggested restricting BITS access to approved or trusted URLs. Since many third-party software vendors use it to distribute software updates, however, such limits would be a very cumbersome workaround, one that requires the careful maintenance of a whitelist of approved URLs.
Although the attack may seem to have a simple fix, the Windows Update strike does highlight an increasing sophistication of attackers and their growing, in-depth understanding of the Windows operating system.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in February 2009