Malware using the Bits service

Hi wat0114, Hi TopperID

HIPS/firewall do his/her job OK, the decision of user always stays what to accept what no. And here that the problem.
Returns on first post of dvk01.

Hypothetical scenario:
"Joe Public clicks on the link to download the "dancing pigs" screen saver
Along with the screensaver comes a taskjob for BITS
No AV alert as it is an innocent task job." (Joe fist think, already 90% safe)

Joe run "dancing pigs" screen saver installation.
All HIPS, alert is for legit Windows application with event like:
"This likely be a normal activity" (Joe second think, 100% safe)
Joe don't know what is net.exe,net1.exe,bits,ect.. just think is all normal running process by screen saver installation. Joe must allow all if will have new screen saver (virus free) right?
Boom! "pigs dance" it begins.
After this your system get download or most more important for your privacy, upload to unknow server.
In this case download/upload perform svchost.exe, and if your firewall is configured to allow svchost to any IP/port 80/443, you don't have alert any more.

 

The scenario you describe is actually quite typical and that is why in this last bit with svchost it is so important to impose tight restrictions in firewall rules. Just look at my ss where MS wants svchost to "phone home" with, no doubt, my private info. Naturally I have it permanently blocked. Outpost also warns me whenever the connection attempt is made. I get several warnings a day. One more thing: where does Joe get the dancing pigs screensaver from? This is of utmost consideration also. If he reads the site's privacy policy and with a little more research confirms it to be a "on the level" site, then he probably gets himself a harmless screensaver, otherwise it's his own tough luck that he is so careless in where he gets his gimmicky freebies from.

 

No! There are some programs that run with Windows, ie they start when Windows starts, so you never get alerted on them; the Task Scheduler is one such program (though if the task involved running another app you would be alerted on that, but not if it is just making use of BITS).

But what of other legitimate progs that are given the right to run without need of a prompt, such as Services.exe, if it is exploited it could perform apparently 'normal' functions without causing intervention from a behaviour blocker etc.

Yes, it seems to me that you have to do something foolish in the first place to get in this predicament. But it is the one big weakness of HIPS progs that if the user allows a prog to run during a D/L and install, then it will circumvent the execution protection of HIPS.

 

Why are you so angry, has it with Joe or with me?
wat, Joe and dancing pigs screensaver is only an example invented by dvk01 to cheer up discussion, it is a hypothetical scenario. I don'tknow if it exists, you know it?
I instead wanted to help to understand the problem , then each does it as he wants.

 

No anger here at all I just posed the question and I realize your example is only hypothetical, and it is a very good one at that. In reality Joe, or whoever it is, has a choice. Either he downloads it or he doesn't, and he can freely choose from where he downloads it. If he does not want to exercise common sense in the process, then he has already lost half the battle. That is all I am saying. It is the same with those who seek out pirated software and keygens from P2P sites and get themselves into trouble that way. They still have a choice and they can use common sense to guide themselves in the process.

 

Blocking svchost from network access seems the best bet since otherwise not only BITS but any other service can piggyback onto svchost to gain network access.

This then raises the question of how to do Windows updates:

• Download patches from the Microsoft Security Bulletins page or use a third party tool like AutoPatcher;
• Temporarily allow svchost network access while running an update manually;
• Create a firewall rule allowing svchost access to "known" Windows update URLs only (since MS use Akamai for load balancing, doing this by IP address is impractical unless Hosts file entries are used to limit the URLs to specific IP addresses only).

All these methods have strengths and downsides so the "best" choice will have to come down to user preference.

SSM can intercept attempts to start and stop services (though net.exe and net1.exe should have the "With these command line parameters" option enabled so that each service requires separate rules) but this won't cover the case where a service is already started by other software.

 

Or use MBSA see "Microsoft Baseline Security Analyzer vs Windows Update"

Mike

 

SSM can intercept attempts to start .exe services, but BITS is a .dll based service (qmgr.dll) run by svchost.exe, so how can SSM intercept that?

SSM will give a module alert when BITS changes status to running, but I don't see how you can use this to prevent a .dll service from running.