Trojan Win32/Jowspry Uses Windows Itself to Bypass Windows Firewall

Adware - Spyware : Trojan Win32/Jowspry Uses Windows Itself to Bypass Windows Firewall

Posted by Max on 2007/5/18 13:29:39 (2916 reads)

Security expert Frank Boldewin said on his website reconstructer.org that he had recently noticed an e-mailed trojan - a type of program or message that looks benign but conceals a malicious payload - which was exploiting a Windows program known as the Background Intelligent Transfer Service (BITS).

At least one program is in circulation that can hijack a key component of Windows Update to introduce malicious software that could be used to hijack a computer.The method bypasses users' firewall, allowing files to download undetected.

Microsoft said it was aware of reports of the attack.BITS is used by Microsoft to download security patches and updates to Windows machines. Because it is part of the operating system, it is able to bypass local firewalls while it downloads.

Mr Boldewin found the trojan was piggybacking on BITS to download malicious files. He published "proof of concept" code to illustrate how it went about it.After analysing this code Elia Florio, a researcher at security firm Symantec, wrote in her blog: "Using BITS to download malicious files is a clever trick because it bypasses local firewalls, as the download is performed by Windows itself, and does not require suspicious actions for process injection."

However, Microsoft said that for BITS to be exploited, machines first had to become infected with the trojan that Mr Boldewin discovered.A spokesperson for the software giant said: "Microsoft is aware of public reports that Background Intelligent Transfer Service (BITS) is being used by TrojanDownloader:Win32/Jowspry to bypass policy-based firewalls in order to install additional malware.

"The bypass relies on [Jowspry] already being present on the system; it is not an attack vector for initial infection."The bypass most commonly occurs after a successful social engineering attempt lures the user into inadvertently running [Jowspry], which then utilizes BITS to download additional malware."Security consultant Robert Schifreen told the BBC News website: "In some ways it is immaterial that it is using BITS.

"The simple message is not to get infected in the first place. Don't click on any links or attachments unless you are certain they are safe and use anti-virus software."Microsoft recommended that anybody who thought they may have been infected with the Jowspry trojan should visit Windows Live OneCare safety scanner.

source

Previous article - Next article

Other articles
2010/3/18 8:07:31 - Panda Cloud Antivirus Receives ICSA Labs' First Cloud-Based Certification
2010/3/17 15:49:34 - Open-Source Email Security Taken To The Next Level at WebhostingDay
2010/3/17 15:18:40 - McAfee Warns ABout Scareware or Fake Antivirus Software
2010/3/2 5:22:13 - VeriSign and AVG Will Integrate VeriSign Trust(TM) Seal Within AVG LinkScanner(R)
2010/3/1 7:36:12 - New Stealth Software Protects P2P Users From Lawsuits by Copyright Holders
2010/2/24 13:55:16 - New State of The Art Firewall By Palo Alto Networks
2010/2/24 13:50:26 - Beware of Fake Antimalware Programs Like PCsProtector
2010/2/24 13:38:02 - New Registry Cleaner Guide Helps Your PC Perform Faster
2010/2/3 7:32:43 - PC Login Now (Full version) Available Now For Free.
2010/2/3 7:11:57 - Mitto Named One of 20 Top Web Applications

The comments are owned by the poster. We aren't responsible for their content.