While the BITS service runs in a service host process and able to schedule transfers to happen at any time, but such files and data are stored in a local database. And like many such technologies, BITS can also be used by malicious applications to create files that are downloaded or uploaded in the context of the service host process.
According to researchers at FireEye, there is a previously unknown mechanism that shows the hackers made use of BITS to launch their backdoor.
How Hackers leverages on BITS to infiltrate Windows systems
Hackers use malicious applications to create BITS jobs and files which are downloaded or uploaded in the context of the service host process to evade firewalls that could block such malicious or unknown processes, and to obscure which application requested the transfer.
As BITS transfers can also be scheduled, it enables the attackers to schedule the attacks to occur at specific times without relying on long-running processes or the task scheduler. Also, BITS transfers are asynchronous, which results in a situation whereby the application that created a job may not be running when the requested transfer is complete.
This scenario is remedied when BITS jobs are created with a user-specified notification command, which executes after the job completes or in case of errors. Then, the notification commands associated with BITS jobs can specify the executable or command to run.
But attackers can also utilize this feature as a method for maintaining persistence of their malicious applications, since the command data is stored in a database instead of traditional registry locations, it can be overlooked by forensic investigators or tools that attempt to identify persistence executables and commands.
How to secure your Windows machine against such infiltration
This new exploit is perhaps another reminder of how even useful tools like BITS can be repurposed by hackers to their own advantage.
Therefore, the researchers have made available a Python utility known as BitsParser that aims to parse BITS database files and extract job and file information for additional analysis to aid incident response and forensic investigations.