Symantec: Windows Update Downloader Can Spread Malware

Researchers at Symantec have published a report highlighting how the Background Intelligent Transfer Service (BITS) -- a main component of Windows Update -- is being used by Trojans to download malware that bypasses firewalls and security controls.

BITS runs in the background and downloads patches to Windows without eating up all available bandwidth. Because it supports the HTTP protocol, it can be used to download almost any file, and Microsoft employs the technology for sending beta versions of its software such as Vista and Windows Server to testers.

But as Symantec points out, this can also include malicious content. "Why does malware use BITS for downloading files? For one simple reason: BITS service is part of the operating system, so it’s trusted and bypasses the local firewall while downloading files," researcher Elia Florio writes.

Traditionally, bypassing a firewall requires a number of complicated tricks, including automating accept messages or disabling the service completely. Trojans such as Win32/Jowspry are already using this download method.

There is no real fix for the issue, as BITS performs the downloads without any verification. But Symantec recommends "the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs."

For its part, Microsoft notes that Windows Update itself is not the real culprit and that the Trojan must first be installed onto a system before it can utilize BITS. The company stopped short of saying whether it intends to make any changes to BITS as a result of the Symantec report.