Multiple malicious automated tasks linger in BITS even if the AV removed the malware three months before

Jun 6, 2016 21:40 GMT  ·  By

Crooks found a way to reinfect computers with malware via the Windows BITS service, months after their initial malware was detected and deleted from the infected system.

BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching your Windows update packages, along with other periodic software updates.

According to US-based Dell subsidiary SecureWorks, crooks are using BITS to set up recurring malware download tasks, and then leveraging its autorun capabilities to install the malware.

Abusing BITS is nothing new since criminals used the service in the past, as early as 2006, when Russian crooks were peddling malicious code capable of using BITS to download and installing malware on infected systems.

Initial malware infection took place back in March 2016

In the particular case, SecureWorks staff were called to investigate a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.

The SecureWorks team discovered that the initial malware infection took place on a Windows 7 PC on March 4, 2016, and that the original malware, a version of the DNSChanger malware called Zlob.Q, had added malicious entries to the BITS service.

These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.

Since the user's antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn't flag these activities as malicious but still issued alerts for irregular activities.

BITS tasks could be used in much more dangerous ways

In this case, SecureWorks reports that the BITS jobs downloaded and launched a DLL file that executed as a "notification program."

BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.

SecureWorks staff presents a method of searching for malicious BITS tasks in their technical write-up, along with a list of domains from where this particular infection kept downloading malicious code.