Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Attacks Use Windows BITS Notifications to Download Malware

One of the Windows features that has been long abused by cybercriminals is the Windows Background Intelligent Transfer Service (BITS), and researchers at SecureWorks warn that a lesser-known capability in BITS is now leveraged to download malware.

One of the Windows features that has been long abused by cybercriminals is the Windows Background Intelligent Transfer Service (BITS), and researchers at SecureWorks warn that a lesser-known capability in BITS is now leveraged to download malware.

BITS was designed as a native, reliable file transfer capability for Windows that uses idle network bandwidth. It is the functionality used to deliver operating system updates, but it is also employed to handle file transfers in some third-party applications. For over a decade, malware authors have been leveraging BITS for nefarious activities, including malware downloads and uploads, the launch of arbitrary applications, or the creation of long-lasting tasks.

Now, researchers with the SecureWorks Counter Threat Unit (CTU) reveal that a lesser-known capability meant to facilitate “notification” actions when jobs complete is now abused by cybercriminals. The feature allows malware authors to create the self-contained, download-and-execute BITS tasks that endure even after removing the initial malware from the affected system.

Researchers have identified active malicious BITS jobs created with the purpose of downloading and executing new malware and explain that these poisoned BITS tasks spawned installation and clean-up scripts after downloading their payloads. Self-contained in the BITS job database, these tasks eliminated the need of malicious files or registry modifications on the host, thus evading detection.

Two similar pending BITS transfer tasks were found on an affected host, both still active a few months after the original malware infection occurred (on March 4) and was detected and cleaned (mid-March). The default maximum lifetime for a BITS job is 90 days, but can be extended, which explains why the tasks are not dependent on the original malware.

One of these tasks attempted to download a file and save it to C:ProgramData. As soon as the download was completed, the BITS service executed a command as a “notification program.” The command was meant to create and launch a Windows batch script (x.bat) that tried to launch the downloaded file with regsvr32.exe, with syntax that indicated the program is a DLL. If the file wasn’t found, the script would try to run any file with a .tmp extension in the same directory.

Since BITS saves unfinished downloads as .tmp files, the script attempted to ensure that the file would run even if it was downloaded but not renamed. The second task the researchers analyzed was almost identical, but had a different job name, directory name, and download URL.

The team found and analyzed the issue last month, on a Windows 7 host on which the BITS event log included records of previously completed transfers initiated by the malware, without offering additional details. Although the original malware had been removed from the host a couple of months before, these BITS jobs repeatedly attempted to download and execute.

Advertisement. Scroll to continue reading.

According to CTU, the original malware was likely a Trojan known as Zlob.Q, which is also said to be related with DNSChanger malware. On systems that have been infected with this malware, admins/users should enumerate active BITS tasks, especially if network or host alerts continue to be generated after remediation. The enumeration can be done by executing the bitsadmin client from cmd with elevated privileges (bitsadmin /list /allusers /verbose).

Related: Angler Exploit Kit Bypasses Microsoft EMET

Related: Malware Uses Clever Technique to Hide DNS Changes

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.