Guidelines for a Safe and Sound Windows Update

By CIOReview | Wednesday, August 17, 2016

Maintaining apt computer security is turning out to be a challenging task day-by-day. Hackers are using advanced techniques and the basic software component of a computer—the operating system—is falling prey to cyberattacks. Hackers have even started tricking the highly secure and sophisticated OS update systems to breach the security parameters.

The Microsoft Update

Recently, Microsoft alerted users about a malware program named Win32/Jowspry that uses the Windows update service to download malicious files to the computer. While the simplest remedy is to avoid updating the OS, it is not wise since the system will still be vulnerable to newer attacks. Windows uses a service called Background Intelligent Transfer Service (BITS) to interact with the Windows Update site. BITS transfers files between the client system and the Microsoft server, providing the update progress information. BITS can also asynchronously transfer files in the foreground or background, preserve the responsiveness of other network applications, and even automatically resume file transfers after a network disconnection or a computer restart.

During a normal Windows auto update scenario, BITS, running in the background, draws unused bandwidth to download Windows patches and updates. The service also facilitates file transfers for Windows Server Update Services, Microsoft’s instant messaging products, and Systems Management Server. Being a trusted component of an OS, the built-in Windows Firewall grants data transfer access to BITS without triggering any warnings or user consignment request.

Hackers have developed tricks to exploit this service to quickly bypass one of their primary obstacles—the Windows Firewall. Bypassing the OS firewall filters enables installation of malicious files without alerting users about abnormalities in the download. Even advanced network-based firewalls are reported to struggle with distinguishing the files BITS should download and the malware. The low bandwidth and asynchronous nature of BITS further makes it a tough task for firewalls to analyze the malicious activities taking place during the update.

Attack Scenario

The actual attack scenario is not a result of any security flaw in the Windows Update service or from any malicious files in Microsoft’s server. The attack is initiated when a user downloads Win32/Jowspry and executes the programs in host computer. The TrojanDownloader: Win32/Jowspry is a malicious application that utilizes BITS to download component programs from the Internet, possibly using HTTP or FTP URLs. The Win32/Jowspry may pretend as a non-executable file by camouflaging as file icons associated with applications like Adobe Acrobat (PDF) or Microsoft Word document files (.doc).

Generally, the attackers create a self-contained BITS task that never appears in the registries of infected machines, with their footprints limited to entries in the BITS database. The scripts then run the usual gamut of malicious activity, pulling malware from a remote server, running an installation script, and then initiating a clean-up script after the payload is installed. Once the transfer is complete, BITS launches a notification program which initiates a Windows batch script to finalize and clean up the BITS job entry, check the download, and delete itself on completion.

Once the malware is successfully installed in the client system, it will gradually instigate the task assigned by the coder. The Trojan program will link with the update service and adopt BITS to ‘safely’ download and install additional malware components that are required for it to kick off the attack. BITS is actually not an attack vector for the initial infection, but is just the mechanism used by the malware to swindle and bypass the firewall.

Securing Windows

One of the most efficient methods to tackle the Windows Update attack is to raise awareness among the users, educating on security policies dealing with files from unknown sources. Knowledge about viruses and malicious programs will in fact reduce the possibility of users downloading Jowspry or any other malicious programs which can be a threat. Some experts have also suggested restricting BITS access to approved or trusted URLs. While many third-party software vendors use it to distribute software updates, such limits would be a burdensome workaround, one that would require careful design and maintenance of a white-list of approved URLs. Use of updated antivirus software with an inbuilt additional firewall is also recommended as a security measure. BITS supports Hyper Text Transfer Protocol Secure (HTTPS) reflecting that installing an SSL certificate on the network server and in the Trusted Store client can make BITS work over HTTPS, reducing interventions.

BITS wasn't originally a part of Windows till 1995, and was included in Windows XP Service Pack 1, Windows 2000 Service Pack 3 and is now part of almost all the Windows operating system. Although the BITS attack may seem to have a trouble-free fix, the Windows Update hijack highlights the increasing sophistication of attackers and their growing in-depth understanding of Windows. Securing connected computers is one of the most significant elements of protecting privacy, reducing the possibility of identity theft, and thwart hackers from compromising sensitive information.