Windows Update, a popular tool for patching computers, is now being used by the bad guys to push malware onto targeted systems.
According to Symantec’s Security Respose Center blog, a Trojan detected as Downloader used an “interesting technique” to download files involving a Windows component named BITS (Background Intelligent Transfer Service), the main service used by Windows Update to download patches and keep the operating system updated.
“Why does malware use BITS for downloading files? For one simple reason: BITS service is part of the operating system, so it’s trusted and bypasses the local firewall while downloading files,” Symantec researcher Elia Florio wrote in the blog. “Malwares need to bypass local firewalls but, usually the most common methods found in real samples are intrusive, require process injection or may raise suspicious alarms.”
At the moment, Florio said, there’s no immediate workaround against this type of attack. “It’s not easy to check what BITS should download and not download,” Florio added. “Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs.”