Malware using the Bits service

I disabled Windows Update (WUP) from the very beginning, and instead use Microsoft Baseline Security Analyzer (MBSA). I also have BITS (Background Intelligent Transfer Service) disabled.

Dancing pigs => http://en.wikipedia.org/wiki/Dancing_pigs

Mike

P.S. Here is how I used MBSA https://www.wilderssecurity.com/showthread.php?t=171521

 

Although this is not classed as a firewall vulnerability, there have been posts before on this forum concerning this.

There are posts on forum from "june" last year concerning "BITS", as the protection/interception of comms for this where (at that time) to be added to comodo
forum thread

 

Personally, I class this as "Well, a good idea at the time",... but as with a number of windows internal comms, they can be used by malware.

As we know, it is svchost that actually performs the downloads according to "Jobs" from "BITS", and as most user allow svchost outbound due to windows updates etc then a basic firewall will allow this due to user rules allowing svchost outbound. Even if the user as a firewall/hips that will intercept these internal comms, most will allow as they will not know what it is.

This is the main problem. Most users will auto update windows, but even if for example, a user disables svchost from making outbound (before/after an update), then any "jobs" will be performed in that time it is allowed, so harm can be done.

It is certainly a bad situation, but I could see it coming. Personally, my setup does not allow any direct internet access to svchost, and I manually apply any windows updates, but, this is certainly not what all users will/want, or can do.

 

I allow automatic updates for Windows, but I have the BITS service set to run as manual; when updates start I will see the icon in my tray and RD gives a pop-up to facilitate the change of state from 'stopped' to 'started'. SSM also gives an alert on this change of service status. So I have the chance to deny BITS from running if it should ever try to start at any other time.

 

I don't see here any problem.
The program attempts to create outbound connection or accept inbound connection. Trojans and other malicious programs scripts can force trusted applications to establish unauthorized connections with suspicious peers.
How to prevent this?
GKweb explain this very clearly, yuo must create svchost network rules with your firewall.
Firewall needs in a user attention to make a final decision on the running process.
Draw your attention on addresses.
Permit svchost outbound connection only to trusted microsoft update IP/port.
How you can find all microsoft update IP from your zone? easily if you use good firewall. For example, Jetico make this for you very easy.
Problem solved.

 

hiro

some firewalls do not block BITS activity

check david matousec's firewall tests:

http://www.matousec.com/projects/wi...ysis/leak-tests-results.php#firewalls-ratings

the "BITStester" leaktest actually does what the OP suggested a trojan/backdoor could do.

You can try out BITStester leaktest for yourself:

http://www.matousec.com/projects/wi...alysis/introduction-firewall-leak-testing.php

To the OP, comodo and some other firewalls actually detect this activity

 

tamdam

BITStester leaktest is only test.
Every firewall, coming with a rule for svchost which allows ports 80 and 443 to every IP, can be bypassed!

Read carefully gkweb explanation:
http://www.firewallleaktester.com/news.htm
Create svchost network rules with your firewall!
Draw your attention on microsoft update IP addresses!

Then run BITStester leaktest to test your firealls/svchost rule.
Yuo can pass it with every firewalls!

 

well the scenario outlined by the OP was a malware program adding a job to BITS. When it adds the job some firewalls like comodo will actually ask you if you want to allow the malware internet access through a trusted service. In this sense you are right, it is not really a firewall's job to do this. However some firewalls like comodo have HIPS-like abilities, this is one of them.

 

When an Automatic Windows update is about to happen I have the yellow icon in my sys tray and I get a pop-up from RD that Services.exe wishes to set the following Value:-

HKEY_LOCAL_MACHINE\System\Controlset002\Services\Bits || start

That is to change BITS from a stopped state to a started state. If I allow it, BITS will start and updates proceed. Of course I turn off RD at this point, to prevent interference, but BITS will be stopped from running automatically afterwards.

The point being that if BITS ever wanted to start at an inappropriate moment (ie when I was not doing a Windows update) I could prevent it from doing so.

I'm using RD to protect the following Keys:-

HKEY_LOCAL_MACHINE\System\*controlset*\Services**

 

Creating highly restrictive rules for svchost in the firewall, as others have mentioned, seems to be the most effective solution. However, not too many people know how to accomplish this - nor want to be bothered learning how. Further to this, there is no point trying to educate those who are hell bent on installing, spyware-infested popcap and zango games and cute browser toolbars.

 

tamdam, TopperID, and all

Many firewall/HIPS pass this leaktest and many others.
But only in leaktest environment, not in real circumstances.

When you work with leaktest your first worry is (when firewall/hips ask) to block all. You have block all, all right, your have pass the leaktest.

In real environment is different, how? typical explanation/failure you can see in TopperID post above.Automatic Windows update is about to happen ==> run BITS ==> svchost.exe, all legit win application-services (is not suspicious "pigs.exe", or question, is today time to update, or not), and what make 99.9% of user? ALLOW! yuor svchost have permission to access to network to every IP ports 80 and 443, and what succeed, The End!

You can forget on this only with restricted svchost access to network, svchost access only to trusted IP/port and block others-rule, without any questions!

 

Hi hiro,
Yes, I understand and agree that placing restrictions on svchost can give the user this control. But as mentioned, there are not many users who want, or know how to set such rules.
If we look at Jetico, most users are put off using this firewall due to the many popups and confusion on rules creation, yes, there is a list of server IP`s shown at the leaktest website, but this may be incorrect for a users location, other mirror sites used by microsoft may use many other IP`s (which could be hundreds or more), and would just put the user off keep adding rules. You will also note, most users try to stay with an application firewall as they do not want to set rules)

I know, that some users can do this, they can set rules as updates are made, check these IP`s via whois, then edit rules for IP ranges, to some this is simple, to a lot of others this would be a complete nightmare, and they look for alternatives, such as firewalls that will intercept these possible leaks for them

 

So I'm going to load up with dancing pigs at the very moment the Windows update icon is in my sys tray and I'm about to start updating?

I don't think so!

If the dancing pigs had been loaded at an earlier time, then so to would the attempt to start BITS, which would alert me to a problem.

 

Hi,Topper
Please try this.
Set bits-services to manual.
Then open "Run..", type in "net start bits" without quote.
Do you have alert from SSM?

 

Result:



This is child process, not internal comms. I would prefer for such, that SSM put through the services firewall (it was mentioned/todo list a long time ago)

 

That's interesting - I actually get several alerts from SSM, including ones that net.exe and net1.exe wish to run, BUT in this situation, when I click to allow, I do not get a pop-up from RD indicating a change of status for BITS; BITS simply runs (confirmed by SSM Module Alert) without RD noticing anything. I haven't quite got that figured.

So you mean that the application wishing to use BITS does not attempt to start the service itself but simply waits for BITS to run at a later date?

That could be a long wait, surely scans will pick something up in the interval?

In any case, with execution protection anything downloaded on the system should not be able to run, should things get that far.

 

Per http://www.firewallleaktester.com/news.htm (my bolding)

What an understatement!

Mike

 

Have seen, with the simple innocent command we have an a little upset the absolute trust in safety software, way positive, more doubt that you have, surer you are!

 

So we see it's no big deal using SSM or a similar HIPS to stop this kind of action if it were not a known, anticipated and expected test and one we actually want to launch.

 

Perhaps not quite so simple, because these alerts are for programs seeking to launch. Supposing the prog attempting to utilize BITS is already running?

The example postulated involves (if I understand it correctly) downloading something that secretly places a task in the Task Sheduler folder and this will run with Windows. So the task will run whenever scheduled (eg every hour) and presumably makes use of BITS, if it is running, to D/L a rootkit.

Mind you I'm not clear how the rootkit will install and do damage if you are running suitable HIPS progs.

 

That is a good point Topper, but does that not still take us back to the original stipulation that the already running program had to be authorized by the HIPS in the first place? It is possible to slip up and allow it, but I'm pretty content knowing that as long as I have very tight firewall rules, call home or download attempts by the malware should be practically eliminated. Private data leakage concerns me far more than my data getting destroyed by malware. Backups and images will easily resolve the latter issue.