Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.
(Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.
According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.
Abusing BITS is nothing new since crooks used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and install malware on infected systems.
Initial malware infection took place back in March 2016
In the particular case, SecureWorks staff were called to investigate a system that had no malware infections, but was still issuing weird security alerts regarding suspicious network activities.
The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016 and that the original malware, a version of thecalled , had added malicious entries to the BITS service.
These rogue BITS tasks would download malicious code on the system, and then run it, eventually cleaning up after itself.
Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious, but still issued alerts for irregular activities.
BITS tasks could be used in much more dangerous ways
In this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file which executed as a “notification program.”
BITS jobs have a maximum lifetime of 90 days, and if the malware coder would have used them properly, it could have had a permanent foothold on the infected system.
SecureWorks staff presents a method to search for malicious BITS tasks in their, along with a list of domains from where this particular infection kept downloading malicious code.