It is possible to reinfect computers with malware via the Windows BITS service, researchers said.
Attackers use BITS to set up recurring malware download tasks, and then leverage its autorun capabilities to install the malware, said researchers at Dell’s SecureWorks.
BITS (Background Intelligent Transfer Service) is a Windows utility for transferring files between a client and a server. The utility works based on a series of cron jobs and is the service in charge of downloading and launching Windows update packages, along with other periodic software updates.
SecureWorks researches were investigating a system that had no malware infections but was still issuing weird security alerts regarding suspicious network activities.
SecureWorks found the initial malware infection took place on a Windows 7 PC on March 4 and the original malware, a version of the DNSChanger malware called Zlob.Q, added malicious entries to the BITS service.
These rogue BITS tasks would download malicious code on the system and then run it, eventually cleaning up after itself.
Since the user’s antivirus removed the initial malware, the BITS tasks remained, re-downloading malware at regular intervals. Because BITS is a trusted service, the antivirus didn’t flag these activities as malicious but still issued alerts for irregular activities.
SecureWorks said the BITS jobs downloaded and launched a DLL file that executed as a “notification program.”
BITS jobs have a maximum lifetime of 90 days, and if the malware coder had used them properly, they could have had a permanent foothold on the infected system.
SecureWorks researchers found a way to hunt down malicious BITS tasks, along with a list of domains from where the attack kept downloading malicious code.