Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on May 14, 2007 9:17 AM.

The previous post in this blog was Phishing up over 13%.

The next post in this blog is How criminals will eat the home made chips with the phish.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Phishing up over 13% | Main | How criminals will eat the home made chips with the phish »

How to get hosed when thinking you're using the Windows automatic update

Brian Kreb today posted a blog "New Attack Piggybacks on Microsoft's Patch Service" that describes a proof concept attack that uses the Windows updating patch service to install malware on the user's computer. His blog describes the attack as follows:
"
Security researcher Frank Boldewin last week published a "proof-of-concept" program illustrating an attack technique he'd witnessed in March via an e-mail he received. The e-mail appeared to have been sent from a local Internet service provider in Germany. The file included with the message was designed to install a Trojan horse program on a victim's machine enabling other corrupt software to download.

The other software leveraged a Windows program called the "background intelligent transfer service," or BITS. It is used by the Windows automatic updates feature designed to download security updates via a customer's spare network bandwidth.

BITS is designed to resume downloading an unfinished file even after a user restarts or logs off of Windows. As soon as the system restarts or regains Internet connectivity, BITS can pick up where it left off. Additionally, the sender can determine whether the entire file transfer completed successfully by setting a special code on the transfer.

The real danger is -- assuming the Trojan sneaks past a user's anti-virus software -- the user's software firewall likely would not detect the outgoing connection when the victim's machine starts downloading the second-stage payload. That's because BITS is a legitimate system service that the firewall would allow by default or the user long ago allowed it permanent access in and out a firewall.
"

At the end of his blog, Brian notes the following:
"I should note that when I tried this exploit on a Windows XP system running under a limited user account, the attack did not succeed. So if you set up your Windows XP or 2000 machine to run under a limited account, even if you inadvertently download a Trojan, it is very unlikely that it will be able to finish its job."

This is his current recommendation to avoid the attack.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on May 14, 2007 9:17 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/232

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)