Windows BITS ‘Notification’ Feature Used to Deliver Malware

According to security researchers attackers are exploiting a Windows BITS lesser-known “notification” feature to reinfect PCs with malware over and over again.

Attackers have found a new way to exploit the Widows Background Intelligent Transfer Service (BITS) which is being used to infect and reinfect targeted PCs with malware even after the initial infection has been removed.

According to security researchers at Dell SecureWorks, attackers are exploiting a lesser-known BITS “notification” feature. The feature allows attackers to create a re-occurring task to download and install malware even after the original malware is extracted.

BITS is used by Windows Update and third-party software for application updates. The service has a long history of being abused by attackers dating back to 2007. And even up until today, BITS is still an attractive feature for hackers because the Windows component includes the ability to retrieve or upload files using an application trusted by host firewalls, said Matthew Geiger, Sr. security researcher for SecureWorks’ Counter Threat Unit.

“The distinctive feature with our BITS discovery is the use the notification services to launch the malware after downloading it and the ability for attackerd to re-download and reinstall that malware,” Geiger said. “It’s a way for a threat actor to have a self-contained download with execute capability that does not depend on the original download payload.”

Geiger said his team discovered the new BITS exploit in March when it investigated a system that was issuing alerts of suspicious network activity following the extraction of the DNSChanger malware called Zlob.Q.

“Even after the system had no malware infection, we kept receiving odd alerts,” Geiger said, adding that attackers work within the normal parameters of the BITS notification feature. The only difference is attackers use BITS to deliver malware instead of legitimate software updates.

“Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities,” according to SecureWork’s report.

That reinfection cycle would continue for 90 days, the default lifetime of a BITS job. The attack method also requires an attacker to gain foothold on the targeted PC in order to program BITS with a software retrieval task.

According to SecureWorks researchers, the BITS notification feature includes data transfer requests from preset URLs. In the case of malicious actors, the notification feature is designed to retrieved data from one of 19 malware delivery sites under the control of the attackers. Next, data is downloaded via BITS and stored as .TMP files on the client PC. After the transfer is complete BITS executes a notification program that launches a Windows batch script that finds the downloaded .TMP files and runs them as if they were DLL files. Afterword, the batch files are automatically deleted.

“The payload theoretically could include whatever an attacker wanted,” Geiger said.

Mitigation of the “notification” feature in BITS begins with awareness, Geiger said. SecureWorks offers a way to search for malicious BITS “notification” tasks to help eliminate the problem. It also recommends impacted parties use available controls to restrict access to the 19 domains containing malicious content.

Suggested articles