If you’re sure that you have cleaned your system of malware, but you keep seeing malware-related network alerts, it’s possible that at some point you’ve been hit with malware that uses Windows’ BITS to schedule malicious downloads.
BITS – Background Intelligent Transfer Service – is a native Windows tool that facilitates file transfers and it’s used by the OS and some third-party software to retrieve updates. But it’s also sometimes exploited by attackers and malware authors.
SecureWorks researchers explained why: “Attractive features for threat actors include the abilities to retrieve or upload files using an application trusted by host firewalls, to reliably resume interrupted transfers, to create tasks that can endure for months, and to launch arbitrary programs when a task completes.”
They have recently encountered one instance when the malware misused the service to download and launch malicious files.
The malware itself was not present on the computer anymore, having been removed months before, but they believe it to be the DNSChanger Trojan (aka Trojan.Zlob.Q), because the scheduled BITS tasks were meant to download malicious files from two domains that have been previously associated with it.
“The poisoned BITS tasks, which created installation and clean-up scripts after their payloads were downloaded, were self-contained in the BITS job database, with no files or registry modifications to detect on the host,” the researchers pointed out.
Anomalous scheduled BITS tasks are also likely to remain undiscovered if the user or administrator doesn’t know exactly what to look for.
Users that keep encountering network or host alerts after malware remediation would do well to enumerate active BITS tasks on the system and look for those they don’t recognise (the researchers explained how).
They have also provided a list of domains associated with this particular malware, and advised admins to restrict access to them.