Removing malware from your PC can be very difficult. Unfortunately, cybercriminals have found a new way to make the job even harder. Savvy hackers are exploiting the Windows Background Intelligent Transfer Service (BITS) to reinstall malware that has already been cleaned.
How Are Hackers Exploiting BITS?
BITS was released with Windows 2000 and has been used in subsequent versions of Windows. It manages file transfers between client and server machines.
Microsoft probably never anticipated that BITS could open the door for serious security threats, but hackers have been exploiting it for nearly a decade. Last month, a team of specialists from SecureWorks discovered that hackers have gone a step further and started using BITS to reinfect machines with malware.
These are attacks are very stealthy, because the malware is automatically deleted after it runs. This gives hackers two advantages:
• Users may never know that malware has been installed, which means they can’t take other important precautions (such as monitoring their financial records for suspicious activity).
• Hackers can launch the malicious software from BITS, even if it has already been removed.
This isn’t the first time hackers have exploited the BITS component to coordinate attacks. In 2007, Arstechnica published a post discussing hackers using it to download malware. Elia Florio, a writer with the Symantec Security Response Weblog, also pointed out that this was a serious security risk:
“Why does malware use BITS for downloading files? For one simple reason: BITS service is part of the operating system, so it’s trusted and bypasses the local firewall while downloading files. Malwares need to bypass local firewalls, but usually the most common methods found in real samples are intrusive, require process injection or may raise suspicious alarms.”
The new exploit is even more sophisticated. SecureWorks said that attackers were using BITS to operate the cached application, which means that the malware can continue to run even after it has been removed.
The rogue application can be difficult to trace without looking at the BITS history. The program would delete itself from the machine, so malware detection software would never discover it.
How to Address This Risk
The new research from SecureWorks shows that deleting malware alone isn’t enough to clean the machine. Users also may also need to access BITS to remove any additional traces of the virus.
The researchers provided some useful feedback to help system administrators remedy the problem.
“One way to enumerate these tasks is to execute the bitsadmin client from a cmd.exe session with elevated privileges (bitsadmin /list /allusers /verbose)” SecureWorks wrote.