Security Icon Microsoft

Dell’s SecureWorks Counter Threat Unit (CTU) has uncovered an exploit that is targeting Microsoft Windows BITS and using the feature to re-infect systems with malware. The cyber security experts write in a blog post that BITS is being used to replace malware after a previous infection has been removed.

Windows BITS (Background Intelligent Transfer Service) is a Microsoft tool that makes the transfer of data between customers and servers easier. CTU says the tool is useful for controlling file downloads and server uploads, but it is also being exploited by cyber criminals:

BITS provides a native, reliable file transfer capability for the Windows operating system. It retrieves Windows updates and is also used by some third-party software vendors to handle file transfers (e.g., their update packages). Malware authors and intruders have abused the service since at least 2007.

Malware that has previously been removed by antivirus software is finding its way back onto the system, and Windows BITS jobs with malicious content are the reasons networks will continue to flag alerts. SecureWorks says the corrupted BITS tasks are self-contained and cannot be traced to a host.

BITS offers an attractive environment for cyberattackers because tasks can remain for months, allowing the malware to remain hidden even if it was wiped from a system. The ability to retrieve and upload files and resume interrupted transfers give attackers an ideal environment to re-infect a system.

CTU researchers determined that the threat actors had leveraged the last feature, a lesser-known capability that Microsoft uses to facilitate “notification” actions when jobs complete, to create the self-contained, download-and-execute BITS tasks that persisted even after the original malware was eliminated.

The team discovered the exploit when called by an academic customer that was seeing security alerts despite cleaning all malware from the system. The original threat was a version of the DNSChanger dubbed Zlob.Q malware, which once removed used BITS to store entries that would allow it to download itself on a system again and again.