The recent “Downloader” trojan that was distributed through spam email in Germany used the same technique as Windows Update to load itself onto unsuspecting users’ computers, according to security company Symantec.
Windows Update uses a system called Background Intelligent Transfer Service (BITS) to download patches and keep the operating system updated. BITS is an asynchronous download service that runs in the background and downloads patches, updates and other files without consuming very much bandwidth.
“It’s a very nice component and if you consider that it supports HTTP and can be programmed via COM API, it’s the perfect tool to make Windows download anything you want. Unfortunately, this can also include malicious files,” said Symantec’s Elia Florio.
Because BITS is part of the operating system, it’s trusted and bypasses the local firewall while downloading files.
“Using BITS to download malicious files is a clever trick because it bypasses local firewalls, as the download is performed by Windows itself, and does not require suspicious actions for process injection. In fact, the malicious Downloader sample in this case gets access to the BITS component via the COM interface with CoCreateInsance(), and it uses CreateJob() and AddFile() methods to configure the file to download and the destination path,” said Florio.
Flurio also said that there was no immediate workaround against this type of attack, because it’s not easy to check what BITS should download and not download.
“Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs,” he explained.
This technique is well documented in the “underground”, according to Symantec, with an “antifirewall loader” example being posted on a Russian forum in late 2006.