A Warning From Symantec

[Guest Reimar]

Symantec released a warning about a new Trojan which using the BITS (Background Intelligent Transfer Service) system for spreading and that there is NOT a workaround available against attacks coming down BITS.

This Trojan also affect MS Server Longhorn.

Read the Report:

""The next time your Windows Vista operating system downloads and deploys updates, it could in fact install malicious code instead. Security company Symantec has warned that Windows platforms are susceptible to malware infection via the Windows Update mechanism.

Security researcher Frank Boldewin has revealed that Trojan horses spammed at the end of March 2007 were using a new technique to download malicious files on a system. The techniques involve making use of Background Intelligent Transfer Service, a component of the Windows operating system, including Windows Vista and Windows Server 2007 code-name Longhorn.

"Background Intelligent Transfer Service (BITS) transfers files (downloads or uploads) between a client and server and provides progress information related to the transfers. You can also download files from a peer," revealed Microsoft, and Elia Florio, Symantec Security Response Engineer commented that "BITS is the main service used by Windows Update to download patches and keep the operating system updated."

BITS is designed as an asynchronous download service, which does not impact the responsiveness of other network applications, functioning without consuming bandwidth to transfer patches, updates and additional files in the foreground or background. And since it can also automatically resume interrupted file transfers "it’s the perfect tool to make Windows download anything you want. Unfortunately, this can also include malicious files," Florio added.

Bypassing the local firewall is not an issue for BITS, as the service is in fact considered an integer part of the operating system. "Malwares need to bypass local firewalls but, usually the most common methods found in real samples are intrusive, require process injection or may raise suspicious alarms," Florio explained. "Using BITS to download malicious files is a clever trick because it bypasses local firewalls, as the download is performed by Windows itself, and does not require suspicious actions for process injection. In fact, the malicious Downloader sample in this case gets access to the BITS component via the COM interface with CoCreateInsance(), and it uses CreateJob() and AddFile() methods to configure the file to download and the destination path."

Symantec warned that there is no workaround available against attacks coming down BITS. The Cupertino-based company informed that the BITS download method is already a documented method as an antifirewall loader. Both the Windows Vista and Windows Server "Longhorn" operating systems currently include BITS version 3.0. ""

[Kyosuken]

What they fail to mention is that you need to be infected first to make "calls" like "CoCreateInsance(), and CreateJob()" to the COM interface, ah it's a trojan not a worm so it needs user intervention in the first place ...

So hardly a hole, and yeah it works even if the firewall is active, now some virus are intelligent enough to register themself in the windows firewall anyway. So another FUD by great Symantec that want to sell more of their BS/bloated/crap of softwares good game...

Note that they mention only Vista, and longhorn and not XP (that uses BITS too hehe) mainly because they were pissed that MS didn't gave them access to the kernel so they can hack it