Roy Schestowitz wrote:
> Hackers hijack Windows Update's downloader
>
> ,----[ Quote ]
> | Hackers are using Windows Updates' file transfer component to sneak
> | malicious code downloads past firewalls, Symantec researchers said
> | Thursday.
> |
> | The Background Intelligent Transfer Service (BITS) is used by
> | Microsoft's operating systems to deliver patches via Windows
> | Update. BITS, which debuted in Windows XP and is baked into
> | Windows Server 2003 and Windows Vista, is an asynchronous file
> | transfer service with automatic throttling -- so downloads
> | don't impact other network chores. It automatically resumes
> | if the connection is broken.
> `----
>
>
http://news.yahoo.com/s/infoworld/20070510/tc_infoworld/88424;_ylt=AmG6tVfakzdyOhladyyKQMYjtBAF
That one was sort of an inevitable target, get hold of that and you
effectively have all XP/Vista machines under your thumb. I suspect many a
hacker has spent many hours on this one, the prize to them is too great to
ignore.
But of cause it is an area where MS can not get complacent for those same
reasons.
What to do about it. Well obviously ssl comms means that the traffic in
transit is safe, so the machine must already be compromised (as it says in
that article) to have any chance of success, but having the one key at the
user end isn't enough to hijack ssl.
The only way I can think of this possibly working is that they add a key of
their own, that must be obvious though to anyone who looks at the security
keys, lets say they have got around any warnings that a secure key is being
installed. I still don't think it would work, it would be far too easy for
a third party security software to pick it up.
I just tried to look it up because I am fairly certain that the client keys
for this are effectively hardwired at install time, or rather the first
time the machine registers, the client key generated on the MS servers,
transfered this one time, then the MS updater only uses this one key.
So obviously that particular key is of no use to a hacker.
The only ways I can see this hack working have to do with being able to
replace both the key and the target for the updates. That is such an
obvious hack that I am certain that MS would not make it possible, because
it would have been cracked long ago if it was. Something daft lie
Registry->HKEY->security->Target = ftp.msupdates.com
Registry->HKEY->Security->Key = 01ABC34..
(no one is that daft)
But then another occured, that they don't actually need a key at all, all
they need to do if they already have code onboard is a hook to the
installer and add the hackers code to the processed data already going on,
it needn't interfere with the Windows updates at all.
But that still requires a trojen as well as downloading the hackers extra
code seperately. So all the hacker really gains is that he bypasses any
warning messages to the user about software installing.
It doesn't sound like a very difficult crack to beat I would have thought.
If I'm right the MS updater hasn't been compromised at all, and I really
don't believe it can be, but possibly there is a hook problem that needs to
be checked. The obvious thing though is that Symantec should be making sure
that trojen doesn't get on there in the first place.
|
|
