The Microsoft Windows BITS feature is being used to deliver and reinfect systems with malware even after an infection has been removed, researchers say.
The Windows Background Intelligent Transfer Service (BITS) is a utility used to transfer data between clients and servers. The facility can control client file downloads, server uploads and communication between servers and server applications while transfers are taking place.
According to Dell SecureWork's Counter Threat Unit (CTU) research team, this utility, albeit useful for a variety of applications -- including Windows Updates -- is being exploited by cyberattackers to download malware and re-infect users after malicious code has been wiped from a system.
In a blog post, the security team said a lesser-known capability of the BITS system is now being taken advantage of. The BITS 'notification' system which alerts users when jobs are complete are being used to "create the self-contained, download-and-execute BITS tasks that persisted even after the original malware was eliminated."
CTU notes that the service has been abused for years as BITS gives threat actors the chance to upload or snatch files using an app which is trusted by the host's firewalls, to keep transfers flowing even if interrupted, and to create and launch tasks which will ensure malware infections on Windows systems remain persistent.
In March, the team were called in to analyze a system which had no malware infection but was still issuing security alerts regarding "suspicious network activities."
It was found that the original malware, a version of DNSChanger dubbed Zlob.Q, had added malicious entries to the BITS service which ensured that the malware was being re-downloaded at regular intervals -- and as BITS is a trusted service, the antivirus programs being used were not picking up the activity as malicious.
"The poisoned BITS tasks, which created installation and clean-up scripts after their payloads were downloaded, were self-contained in the BITS job database, with no files or registry modifications to detect on the host," Dell says.
SecureWorks provided a list of domains discovered in BITS log entries which were hosting malware and recommends that clients restrict access and tighten up controls to block these malicious domains wherever possible.