Cybercriminals Use Windows BITS to Download Malware to Unsuspecting Hosts

A Windows features that has been long abused by cybercriminals is the Windows Background Intelligent Transfer Service (BITS), and researchers warn that a lesser-known capability in BITS is now leveraged to download malware. BITS was designed as a native, reliable file transfer capability for Windows that uses idle network bandwidth. It is the functionality used to deliver operating system updates, but it is also employed to handle file transfers in some third-party applications. For over a decade, malware authors have been using BITS for illegal purposes,   including malware downloads and uploads, the launch of arbitrary applications, or the creation of long-lasting tasks. Now, researchers with the SecureWorks Counter Threat Unit (CTU) indicate that a lesser-known capability meant to facilitate “notification” actions when jobs complete is now abused by cybercriminals. The feature allows malware authors to create the self-contained, download-and-execute BITS tasks that endure even after removing the initial malware from the affected system. Researchers have identified active malicious BITS jobs created with the purpose of downloading and executing new malware and explain that these poisoned BITS tasks spawned installation and clean-up scripts after downloading their payloads. Self-contained in the BITS job database, these tasks eliminated the need of malicious files or registry modifications on the host, thus evading detection. Which mitigation measures will be most effective in preventing BITS malware attacks? Send your recommendations to the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/