Malware using the Bits service

Discussion in 'other firewalls' started by dvk01, May 11, 2007.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I have put this in other firewalls because I think it is a firewall related topic but if anyone feels different please feel free to move to wherever you feel is more suitable

    http://www.computerworld.com/action...icleBasic&articleId=9019118&source=rss_news10

    Some if us have been discussing this for over 1 year now so Symantec might be a bit slow with it coming out
    see an article by GKweb warning of the problems http://www.firewallleaktester.com/news.htm scroll down to June 10th 2006

    In MY view It is a potentially a very serious risk

    In the typical hypothetical situation

    Joe Public clicks on the link to download the "dancing pigs" screen saver

    Along with the screensaver comes a taskjob for BITS

    No AV alert as it is an innocent task job. No firewall alert as the download is via bits which is automatically allowed in EVERY firewall by default

    The first thing downloaded is a rootkit component over a period of time so no warnings with flashing TV's in sys tray or sudden slow downs due to downloading large files and continues to install lots of malware

    Once the rootkit installs say latest PE386 ( Rustock C) for example that hides from just about every antivirus known & hides all the malware files it downloads so AV can't see them or scan them

    Boom

    One infected computer that is 0wned by the rootkit/malware

    And it is not an unknown scenario and could explain a lot of the current stealth installs of malware where the victims have what we would normally describe as adequate or good protection, for example KAV & a recognised firewall

    I might be over exaggerating the potential for this one to be a potent avenue for infection but as we close off as many other infection vectors as we can tehn new ones are always found
     
  2. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I disabled Windows Update (WUP) from the very beginning, and instead use Microsoft Baseline Security Analyzer (MBSA). I also have BITS (Background Intelligent Transfer Service) disabled.

    Dancing pigs => http://en.wikipedia.org/wiki/Dancing_pigs
    Mike

    P.S. Here is how I used MBSA https://www.wilderssecurity.com/showthread.php?t=171521
     
    Last edited: May 11, 2007
  3. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Although this is not classed as a firewall vulnerability, there have been posts before on this forum concerning this.

    There are posts on forum from "june" last year concerning "BITS", as the protection/interception of comms for this where (at that time) to be added to comodo
    forum thread
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Thanks Stem

    I am not sure what we would actually class this as

    it is definitely a vulnerabilty where the majority of firewalls do not alert about bits connecting because they are designed not to

    Now we are seeing the start of malware using bits service in the wild with no alerts warning about connections, I don't know how we get around it

    Microsoft see to be encoraging the use of bits for upldating applications so a total block on svchost.exe to non Microsoft sites isn't a suitable answer so it's all open to debate
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Personally, I class this as "Well, a good idea at the time",... but as with a number of windows internal comms, they can be used by malware.

    As we know, it is svchost that actually performs the downloads according to "Jobs" from "BITS", and as most user allow svchost outbound due to windows updates etc then a basic firewall will allow this due to user rules allowing svchost outbound. Even if the user as a firewall/hips that will intercept these internal comms, most will allow as they will not know what it is.

    This is the main problem. Most users will auto update windows, but even if for example, a user disables svchost from making outbound (before/after an update), then any "jobs" will be performed in that time it is allowed, so harm can be done.

    It is certainly a bad situation, but I could see it coming. Personally, my setup does not allow any direct internet access to svchost, and I manually apply any windows updates, but, this is certainly not what all users will/want, or can do.
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I allow automatic updates for Windows, but I have the BITS service set to run as manual; when updates start I will see the icon in my tray and RD gives a pop-up to facilitate the change of state from 'stopped' to 'started'. SSM also gives an alert on this change of service status. So I have the chance to deny BITS from running if it should ever try to start at any other time.
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That seems a fair way to do it

    what rule do you use in RD to do that

    The only downside I see is that is that I along with many others do turn off RD when doing windows updates otherwise I would soon wear out my click yes button

    Also that doesn't eliminate the risk totally because as soon as BITS is enabled for windows update & you have authorised RD to allow it. Then it can still connect to anything else without you knowing at the same time
     
  8. hiro

    hiro Registered Member

    Joined:
    Jul 12, 2005
    Posts:
    77
    I don't see here any problem.
    The program attempts to create outbound connection or accept inbound connection. Trojans and other malicious programs scripts can force trusted applications to establish unauthorized connections with suspicious peers.
    How to prevent this?
    GKweb explain this very clearly, yuo must create svchost network rules with your firewall.
    Firewall needs in a user attention to make a final decision on the running process.
    Draw your attention on addresses.
    Permit svchost outbound connection only to trusted microsoft update IP/port.
    How you can find all microsoft update IP from your zone? easily if you use good firewall. For example, Jetico make this for you very easy.
    Problem solved.
     
  9. tamdam

    tamdam Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    88
  10. hiro

    hiro Registered Member

    Joined:
    Jul 12, 2005
    Posts:
    77
    tamdam

    BITStester leaktest is only test.
    Every firewall, coming with a rule for svchost which allows ports 80 and 443 to every IP, can be bypassed!

    Read carefully gkweb explanation:
    http://www.firewallleaktester.com/news.htm
    Create svchost network rules with your firewall!
    Draw your attention on microsoft update IP addresses!

    Then run BITStester leaktest to test your firealls/svchost rule.
    Yuo can pass it with every firewalls!
     
  11. tamdam

    tamdam Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    88
    well the scenario outlined by the OP was a malware program adding a job to BITS. When it adds the job some firewalls like comodo will actually ask you if you want to allow the malware internet access through a trusted service. In this sense you are right, it is not really a firewall's job to do this. However some firewalls like comodo have HIPS-like abilities, this is one of them.
     
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    When an Automatic Windows update is about to happen I have the yellow icon in my sys tray and I get a pop-up from RD that Services.exe wishes to set the following Value:-

    HKEY_LOCAL_MACHINE\System\Controlset002\Services\Bits || start

    That is to change BITS from a stopped state to a started state. If I allow it, BITS will start and updates proceed. Of course I turn off RD at this point, to prevent interference, but BITS will be stopped from running automatically afterwards.

    The point being that if BITS ever wanted to start at an inappropriate moment (ie when I was not doing a Windows update) I could prevent it from doing so.

    I'm using RD to protect the following Keys:-

    HKEY_LOCAL_MACHINE\System\*controlset*\Services**
     
  13. wat0114

    wat0114 Guest

    Creating highly restrictive rules for svchost in the firewall, as others have mentioned, seems to be the most effective solution. However, not too many people know how to accomplish this - nor want to be bothered learning how. Further to this, there is no point trying to educate those who are hell bent on installing, spyware-infested popcap and zango games and cute browser toolbars.
     
  14. hiro

    hiro Registered Member

    Joined:
    Jul 12, 2005
    Posts:
    77
    tamdam, TopperID, and all

    Many firewall/HIPS pass this leaktest and many others.
    But only in leaktest environment, not in real circumstances.

    When you work with leaktest your first worry is (when firewall/hips ask) to block all. You have block all, all right, your have pass the leaktest.

    In real environment is different, how? typical explanation/failure you can see in TopperID post above.Automatic Windows update is about to happen ==> run BITS ==> svchost.exe, all legit win application-services (is not suspicious "pigs.exe", or question, is today time to update, or not), and what make 99.9% of user? ALLOW! yuor svchost have permission to access to network to every IP ports 80 and 443, and what succeed, The End!

    You can forget on this only with restricted svchost access to network, svchost access only to trusted IP/port and block others-rule, without any questions!
     
  15. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi hiro,
    Yes, I understand and agree that placing restrictions on svchost can give the user this control. But as mentioned, there are not many users who want, or know how to set such rules.
    If we look at Jetico, most users are put off using this firewall due to the many popups and confusion on rules creation, yes, there is a list of server IP`s shown at the leaktest website, but this may be incorrect for a users location, other mirror sites used by microsoft may use many other IP`s (which could be hundreds or more), and would just put the user off keep adding rules. You will also note, most users try to stay with an application firewall as they do not want to set rules)

    I know, that some users can do this, they can set rules as updates are made, check these IP`s via whois, then edit rules for IP ranges, to some this is simple, to a lot of others this would be a complete nightmare, and they look for alternatives, such as firewalls that will intercept these possible leaks for them
     
  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    So I'm going to load up with dancing pigs at the very moment the Windows update icon is in my sys tray and I'm about to start updating?

    I don't think so!

    If the dancing pigs had been loaded at an earlier time, then so to would the attempt to start BITS, which would alert me to a problem.
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Topper, what you are not seeing is the way BITS is designed to work

    it is intended to allow background updates and automatic WU is ONE application that is designed to use it

    ANY application can be set to use it and that is the worry so if you disable BITS service except when using WU then any other program set to use it will also start its download at the moment that WU is allowed to WITH NO WARNING from firewall so you don't have to load dancing pigs it will detect the connection & enable itself
     
  18. hiro

    hiro Registered Member

    Joined:
    Jul 12, 2005
    Posts:
    77
    Hi,Topper
    Please try this.
    Set bits-services to manual.
    Then open "Run..", type in "net start bits" without quote.
    Do you have alert from SSM?
     
    Last edited: May 12, 2007
  19. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Result:

    Capture31-08-2006-11.44.1813-05-2007-00.41.46.jpg

    This is child process, not internal comms. I would prefer for such, that SSM put through the services firewall (it was mentioned/todo list a long time ago)
     
  20. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    That's interesting - I actually get several alerts from SSM, including ones that net.exe and net1.exe wish to run, BUT in this situation, when I click to allow, I do not get a pop-up from RD indicating a change of status for BITS; BITS simply runs (confirmed by SSM Module Alert) without RD noticing anything. I haven't quite got that figured. o_O
    So you mean that the application wishing to use BITS does not attempt to start the service itself but simply waits for BITS to run at a later date?

    That could be a long wait, surely scans will pick something up in the interval?

    In any case, with execution protection anything downloaded on the system should not be able to run, should things get that far.
     
  21. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Per http://www.firewallleaktester.com/news.htm (my bolding)
    What an understatement! :eek:

    Mike
     
  22. hiro

    hiro Registered Member

    Joined:
    Jul 12, 2005
    Posts:
    77
    Have seen, with the simple innocent command we have an a little upset the absolute trust in safety software, way positive, more doubt that you have, surer you are!
     
  23. wat0114

    wat0114 Guest

    So we see it's no big deal using SSM or a similar HIPS to stop this kind of action if it were not a known, anticipated and expected test and one we actually want to launch.
     

    Attached Files:

  24. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Perhaps not quite so simple, because these alerts are for programs seeking to launch. Supposing the prog attempting to utilize BITS is already running?

    The example postulated involves (if I understand it correctly) downloading something that secretly places a task in the Task Sheduler folder and this will run with Windows. So the task will run whenever scheduled (eg every hour) and presumably makes use of BITS, if it is running, to D/L a rootkit.

    Mind you I'm not clear how the rootkit will install and do damage if you are running suitable HIPS progs.
     
  25. wat0114

    wat0114 Guest

    That is a good point Topper, but does that not still take us back to the original stipulation that the already running program had to be authorized by the HIPS in the first place? It is possible to slip up and allow it, but I'm pretty content knowing that as long as I have very tight firewall rules, call home or download attempts by the malware should be practically eliminated. Private data leakage concerns me far more than my data getting destroyed by malware. Backups and images will easily resolve the latter issue.
     
Loading...
Thread Status:
Not open for further replies.