Hackers are always looking for new original techniques to be able to attack users. Sometimes they do it by creating very complex malware, others that they do it through vulnerabilities and others that take advantage of the operating system’s own and legitimate characteristics to jeopardize the security of users, evade their security measures and take advantage of it. system control. And this is how this new technique works that takes advantage of the Windows BITS service .
The BITS ( Background Intelligent Transfer Service ) service is a service introduced in the Windows XP operating system used to take advantage of idle bandwidth (that is, the Internet that we do not use) to facilitate asynchronous file transfers between local machines. In other words, it is the service used by Windows Update to download Windows updates automatically in the background, as well as by Windows Defender to check and update the database. Other applications, such as Chrome and Firefox, also use this service to download new versions when the browser is closed.
This service is legitimate, and everything that passes through it should be reliable. However, a group of security researchers has found a way to take advantage of it to take control of any system, even bypassing the firewall and other security measures.
BITS can be used as a back door to your PC
Security firm FireEye has revealed an unknown malware persistence mechanism to date. When a malicious application reaches the PC, it can create certain BITS jobs that remain pending execution on the PC, such as scheduled tasks. These jobs run at the system level, so by default they are trusted by security measures. Thus, everything that is processed through BITS tends to evade the firewall and the antivirus , reaching the PC without raising suspicion.
Let’s take an example. BITS is intended to load a local resource. A malicious program can create a task by calling a file that does not exist, triggering an error. When this error is generated, a custom notification command is executed, which may well be an .exe. And this .exe can be a backdoor, a Trojan, a ransomware, etc. As by default BITS is a system process, what is launched through it does not go through antivirus or firewall, which endangers all our security.
This technique has already been used in a number of targeted backdoor attacks such as KEGTAP in 2020. But now things are getting complicated, as more and more hackers are going to take advantage of this technique.
How to protect Windows
It’s not the first time we’ve seen hackers find a way to take advantage of legitimate Windows features and services to carry out their own tasks. And it is increasingly difficult to cover all the fronts through which they can attack us.
In the case of this specific failure, FireEye has created a tool, BitsParser , which allows us to analyze everything that is processed through BITS. So we can extract the information from any job to find out if it is trustworthy or could be dangerous.
Also, as always, we recommend using common sense. We have to avoid downloading suspicious and dangerous files from the Internet, as well as be careful with what we receive through email. Only then can we be sure that nothing tries to take control of our PC.
