Security

Malware spotted using BITS


BITS (Background Intelligent Transfer Service) is a nifty little file transfer service built in to Windows which enables file transfers to take place in the background without having any impact on the network bandwidth available to other processes. This is the service used by Windows Update to silently bring down patches without diminishing the users overall experience. BITS has some interesting features:

  • BITS continues to transfer files after an application exits if the user who initiated the transfer remains logged on and a network connection is maintained. BITS will not force a connection.
  • BITS suspends the transfer if a connection is lost or if the user logs off. BITS persists transfer information while the user is logged off, across network disconnects, and during computer restarts.
  • When the user logs on again, BITS resumes the user's transfer job.

Another interesting thing about BITS is that because downloads are being performed 'by Windows' it bypasses local firewalls!

The BBC reports that security expert Frank Boldewin recently discovered an email trojan using BITS to download a second stage payload. It has long been predicted that BITS would be used for malicious purposes and this method of download has been well documented in the underground.

Microsoft have commented on the news pointing out that the transport mechanism in use is irrelevant. In order for this problem to exist a person must first become infected with malware--something which should be avoided in the first place.

18 comments
jimaca
jimaca

Yes I brought malware from cleverbridge and now I need help loading it my computer tell me how to do U CAN EMAIL ME At jmnhns1@att.net

apaludet
apaludet

I spelt the title right this time thank heavens. Next. The security problem is not irrelevant clearly because malware infection is easy and can occur inadvertently. Clearly no malware program anywhere is 100% able to detect malware(would that be nice), but the other major is one of human nature. If the BITS attack described as irrelevant can no be exploited through the type or malware mentioned by the BBC, why not other malware? I don't think there is any shortage or talented programmers working for spammers and other orgs criminal or otherwise, capable or using the concept? Further, if the process is further exploited inspite of being deemed irrelevant, will Microsoft improve software/OS security to close the whole problem, to malware infection and explitation of the BITS process?

rwcarlse
rwcarlse

...it's possible to use a certificate to verify downloads transferred with BITS are in fact coming from Microsoft? Just a thought...

alan.kerr3
alan.kerr3

It is unbelievable of microsoft to take so litttle interest in this and class this as irrelevant, as they are responsible for convincing users to have auto updates on in the first place. I'm sure we're not at the stage yet of stopping the Bits service, switching auto updates off and manually requesting updates throuh IE. But it's always an option for users at some point.

apaludet
apaludet

If Microsoft state the through-BITS attack is irrelevant because PCs need to be malware infected first, for the attack process to work, maybe they can show the world how we can be malware free, thus making the attack impossible, not irrelevant.

DanLM
DanLM

[i]Microsoft have commented on the news pointing out that the transport mechanism in use is irrelevant. In order for this problem to exist a person must first become infected with malware?something which should be avoided in the first place.[/i] Infected computers occur. You can run the latest firewall/virus scanner which has the highest percentage of stopping infections. All it takes is your child using your computer once, and clicking yes. That statement is rather, ummmmm. What's the right way to put this. Uncomprehending of the general population, blatant ignoring of the total number of computers that are infected. Doe the term arrogant and lack of understanding of their own customer base come to mind? uggg, never mind. Dan

seanferd
seanferd

Malware is rather self-installing. No one will email you, except spammers, unless you remove your address.

bobn9lvu
bobn9lvu

The bottom line is, that if they cared, you would of NEVER read that type of reply from them... quote> Microsoft have commented on the news pointing out that the transport mechanism in use is irrelevant. In order for this problem to exist a person must first become infected with malware?something which should be avoided in the first place.

pmwpaul
pmwpaul

That statement by microsoft about the problem being irreverent is very nasty arrogant! They could re-phrase it with "If those idiot users wouldn't get infected we wouldn't have this problem." How many people have been tricked into opening an email that turns out to be spam? How many people do a google search and click on a site they don't know anything about? The arrogance of microsoft continues to generate less and less respect in the it community.

akk
akk

If you are logged on to your computer with an account that has administrative privileges, then you might as well point a fully loaded gun at your head, pull the trigger, and hope to God that the plunger snaps before striking the bullet! If logged with non-administrative privileges, the likelihood of being infected reduces significantly. Unfortunately, Microsoft has chosen to make it easier for the end user by defaulting to a default account that has administrative privileges to reduce the number of support calls - oops! Consult an expert and change your privilege level before you get infected.

Justin Fielding
Justin Fielding

You say that and it almost sounds reasonable but then I haven't had a virus or malware infection since as long as I can remember.

rea00cy
rea00cy

My goodness! It is evident that you have developed an outraging resentment against MS.

boxfiddler
boxfiddler

My second thought had something to do with circuses.

seanferd
seanferd

The OP should have started a new question thread, but I think he must be a bit inexperienced. What I want to know is if Cleverbridge and MBAM are being used for legitimacy by a third party, or if Cleverbridge support and marketing are really as bad as shown in the link you posted.

Michael Jay
Michael Jay

seems we both got sucked into an old post.

seanferd
seanferd

It would help to no end if people were to use full terms and sentences, and proper names and version/model numbers when appropriate. I thought maybe the OP was saying that he had purposely bought malware, like from a botnet vendor, or perhaps meant something else entirely. But I suppose this explains how someone was able to sell him this thing.

Editor's Picks