Researchers: Hackers Can Hijack Windows Update Program

CUPERTINO, Calif. — Hackers are sneaking malware past firewalls by using the file transfer component used by Windows Update, according to researchers at Symantec.

The Background Intelligent Transfer Service, also known as BITS, is used by Microsoft Corp.'s operating systems to deliver patches via Windows Update. BITS debuted in Windows XP and is also part of Windows Server 2003 and the new Windows Vista operating system. It is an asynchronous file transfer service with automatic throttling, so downloads don't impact other network chores, and automatic resumption if the connection is broken.

"It's a very nice component, and if you consider that it supports HTTP and can be programmed via COM API, it's the perfect tool to make Windows download anything you want," Elia Florio, a researcher with Symantec's security response team, said on the group's blog. "Unfortunately, this can also include malicious files."

At present there is no way to block hackers from using BITS, Florio said. "It's not easy to check what BITS should download and not download," he said, and then offered some advice for Microsoft. "Probably the BITS interface should be designed to be accessible only with a higher level of privilege, or the download jobs created with BITS should be restricted to only trusted URLs."

Florio explained why some Trojan makers have started to use BITS to add code to an already compromised computer. "For one simple reason: BITS is part of the operating system, so it's trusted and bypasses the local firewall while downloading files."

Malware, particularly Trojans — which typically first open a back door to the system for follow-on code — needs to sidestep firewalls to bring additional malicious software, like a keylogger, to the PC. "[But] the most common methods are intrusive [and] require process injection or may raise suspicious alarms," Florio said.

"It is novel," Oliver Friedrichs, director of Symantec's security response group, said. "Attackers are leveraging a component of the operating system itself to update their content. But the idea of bypassing firewalls isn't new."

Symantec first heard about BITS on Russian hacker message boards late last year, Friedrichs said, and has been on the lookout for it since then. A Trojan that was spammed in March was one of the first to put the technique into practice.

"The big benefit BITS gives them is that it lets them evade firewalls," Friedrichs said. "And it's also a more reliable download mechanism. It's free and reliable, and they don't have to write their own download code."

Although BITS powers the downloads delivered by Microsoft's Windows Update service, Friedrichs reassured users about Windows Update. "There's no evidence to suspect that Windows Update can be compromised. If it has a weakness, someone would have found it by now," Friedrichs said. "But this does show how attackers are leveraging components and becoming more and more modular in how they create software. They're simply following the trend of traditional software development,"

Microsoft did not immediately respond to questions about unauthorized BITS use.

Florio's complete blog entry is available here.

Copyright © 2026 Adnet Media. All Rights Reserved. XBIZ is a trademark of Adnet Media.
Reproduction in whole or in part in any form or medium without express written permission is prohibited.

More News

Texas Court Orders Adult Site Domain Locked for AV Violations

A district court in Texas has issued a writ requiring domain registry Verisign to “lock” an adult website’s domain over noncompliance with the state’s age verification law.

Adult Web Hosting Service 'QloudHost' Launches

QloudHost, a new web hosting service for adult websites, has launched.

Peter Hooke Launches New Paysite

Peter Hooke has launched an official website through PAYSITE.

Pineapple Support Names Ny Ny Lew as Brand Ambassador

Pineapple Support has named Ny Ny Lew as its newest brand ambassador.

Federal AV Proposal Passes House, Faces Senate Opposition

The U.S. House of Representatives on Monday passed the Kids Internet and Digital Safety (KIDS) Act, which includes provisions to make age verification by adult websites federal law, but the bill still faces tough going in the Senate.

Devin Drills Launches New Paysite

Creator Devin Drills has launched an official website through PAYSITE.

AV Bulletin: Midyear Roundup

Since the U.S. Supreme Court’s decision in Free Speech Coalition v. Paxton, more state age verification laws have been enacted around the United States, as well as proposed at the federal level and in other countries. Meanwhile, lawsuits resulting from AV laws have begun to play out in the courts. This roundup provides an update on the latest news and developments on the age verification front as it impacts the adult industry.

Judge Dismisses Last NCOSE-Backed Suit Over Kansas AV Law

A federal judge on Monday dismissed a lawsuit alleging that adult site SuperPorn violated Kansas’ age verification law, citing lack of jurisdiction after similarly dismissing two related cases earlier this year.

ASACP Updates 'Restricted to Adults' Labeling Resource Page

The Association of Sites Advocating Child Protection (ASACP) has updated its Restricted to Adults (RTA) labeling resource page.

Federal AV Proposal Scores Minor Win in House but Remains in Doubt

A newly announced bipartisan agreement in the U.S. House of Representatives Committee on Energy and Commerce may soon bring a proposed federal age verification law before the full House, but the measure continues to face an uphill battle.

Show More