One of the Windows features that has been long abused by cybercriminals is the Windows Background Intelligent Transfer Service (BITS), and researchers at SecureWorks warn that a lesser-known capability in BITS is now leveraged to download malware.
BITS was designed as a native, reliable file transfer capability for Windows that uses idle network bandwidth. It is the functionality used to deliver operating system updates, but it is also employed to handle file transfers in some third-party applications. For over a decade, malware authors have been leveraging BITS for nefarious activities, including malware downloads and uploads, the launch of arbitrary applications, or the creation of long-lasting tasks.
Now, researchers with the SecureWorks Counter Threat Unit (CTU) reveal that a lesser-known capability meant to facilitate “notification” actions when jobs complete is now abused by cybercriminals. The feature allows malware authors to create the self-contained, download-and-execute BITS tasks that endure even after removing the initial malware from the affected system.
Researchers have identified active malicious BITS jobs created with the purpose of downloading and executing new malware and explain that these poisoned BITS tasks spawned installation and clean-up scripts after downloading their payloads. Self-contained in the BITS job database, these tasks eliminated the need of malicious files or registry modifications on the host, thus evading detection.
Two similar pending BITS transfer tasks were found on an affected host, both still active a few months after the original malware infection occurred (on March 4) and was detected and cleaned (mid-March). The default maximum lifetime for a BITS job is 90 days, but can be extended, which explains why the tasks are not dependent on the original malware.
One of these tasks attempted to download a file and save it to C:ProgramData. As soon as the download was completed, the BITS service executed a command as a “notification program.” The command was meant to create and launch a Windows batch script (x.bat) that tried to launch the downloaded file with regsvr32.exe, with syntax that indicated the program is a DLL. If the file wasn’t found, the script would try to run any file with a .tmp extension in the same directory.
Since BITS saves unfinished downloads as .tmp files, the script attempted to ensure that the file would run even if it was downloaded but not renamed. The second task the researchers analyzed was almost identical, but had a different job name, directory name, and download URL.
The team found and analyzed the issue last month, on a Windows 7 host on which the BITS event log included records of previously completed transfers initiated by the malware, without offering additional details. Although the original malware had been removed from the host a couple of months before, these BITS jobs repeatedly attempted to download and execute.
According to CTU, the original malware was likely a Trojan known as Zlob.Q, which is also said to be related with DNSChanger malware. On systems that have been infected with this malware, admins/users should enumerate active BITS tasks, especially if network or host alerts continue to be generated after remediation. The enumeration can be done by executing the bitsadmin client from cmd with elevated privileges (bitsadmin /list /allusers /verbose).