The Background Intelligent Transfer Service, also known as BITS, is used by Microsoft Corp.'s operating systems to deliver patches via Windows Update. BITS debuted in Windows XP and is also part of Windows Server 2003 and the new Windows Vista operating system. It is an asynchronous file transfer service with automatic throttling, so downloads don't impact other network chores, and automatic resumption if the connection is broken.
"It's a very nice component, and if you consider that it supports HTTP and can be programmed via COM API, it's the perfect tool to make Windows download anything you want," Elia Florio, a researcher with Symantec's security response team, said on the group's blog. "Unfortunately, this can also include malicious files."
At present there is no way to block hackers from using BITS, Florio said. "It's not easy to check what BITS should download and not download," he said, and then offered some advice for Microsoft. "Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs."
Florio explained why some Trojan makers have started to use BITS to add code to an already compromised computer. "For one simple reason: BITS is part of the operating system, so it's trusted and bypasses the local firewall while downloading files."
Malware, particularly Trojans — which typically first open a back door to the system for follow-on code — needs to sidestep firewalls to bring additional malicious software, like a keylogger, to the PC. "[But] the most common methods are intrusive [and] require process injection or may raise suspicious alarms," Florio said.
"It is novel," Oliver Friedrichs, director of Symantec's security response group, said. "Attackers are leveraging a component of the operating system itself to update their content. But the idea of bypassing firewalls isn't new."
Symantec first heard about BITS on Russian hacker message boards late last year, Friedrichs said, and has been on the lookout for it since then. A Trojan that was spammed in March was one of the first to put the technique into practice.
"The big benefit BITS gives them is that it lets them evade firewalls," Friedrichs said. "And it's also a more reliable download mechanism. It's free and reliable, and they don't have to write their own download code."
Although BITS powers the downloads delivered by Microsoft's Windows Update service, Friedrichs reassured users about Windows Update. "There's no evidence to suspect that Windows Update can be compromised. If it has a weakness, someone would have found it by now," Friedrichs said. "But this does show how attackers are leveraging components and becoming more and more modular in how they create software. They're simply following the trend of traditional software development,"
Microsoft did not immediately respond to questions about unauthorized BITS use.
Florio's complete blog entry is available here.
