back to article Microsoft's BITS file transfer tool fooled into malware distribution

Researchers at Dell SecureWorks have spotted a new and dangerous way to misuse of Microsoft's Background Intelligent Transfer Service (BITS). While working on a customer clean-up project, SecureWorks staff found that attackers had created self-contained BITS tasks that didn't appear in the registries of affected machines, and …

  1. Anonymous Coward
    Anonymous Coward

    This is not a good time

    to be a Windows user but I hope you will all get used to it.

    1. Anonymous Coward
      Anonymous Coward

      Re: This is not a good time to be a Windows user

      But it is a great time to anonymously troll! So swings and roundabouts really!

      I wish my self esteem was so low that I could get a boost by dissing an operating system...

  2. Anonymous Coward
    Terminator

    Hmmmm....

    ...wondering if it might have something to do with this...

  3. Anonymous Coward
    Anonymous Coward

    Well, duh..

    You should have worked out by now that any association between "Microsoft" and the word "intelligent" is cause for alarm.

  4. Ken Hagan Gold badge

    BITS is not "fooled"

    Sure, that's the component that is actually downloading, but the malware needed full admin rights to get started. BITS was then "told" what to do and it went away and did it, as per design. I expect you could use the Task Scheduler in much the same way, or cron on a Linux box.

    Surely the moral here is that once a machine has been compromised, the only way forward is to nuke it from orbit and start again.

    1. Lee D Silver badge

      Re: BITS is not "fooled"

      Agreed.

      There's a shocking culture in many smaller shops of just "cleaning off" machines and, if no obvious evidence is left, assuming the machine is clean.

      Just get into the habit of setting up PXE-based WDS or SCCM and standardised images so you can just wipe out a machine with F12 and a password, and put it back to a known-good state. Then you can pull someone's infected machine, stick any replacement in its place, F12 it and in 20 minutes they are back up and running.

      Meanwhile you take anything off the old drive and then just F12 that back in the IT office, ready to go back on the spares pile.

      Anything else is really just asking for trouble.

      Honestly, a couple of weeks of setup and testing, and then 20-minute rebuild times across any number of devices you like. And standardised images make things infinitely more simply to diagnose and resolve.

      1. Doctor Syntax Silver badge

        Re: BITS is not "fooled"

        "Honestly, a couple of weeks of setup and testing, and then 20-minute rebuild times across any number of devices you like."

        The sad thing is that these instructions are passed on as a recommended SOP without any sense that this should not be an acceptable state of affairs.

      2. sabroni Silver badge

        Re: Just get into the habit of setting up PXE-based WDS or SCCM

        That's easy for you to say!

        What does it mean?

        1. Lee D Silver badge

          Re: Just get into the habit of setting up PXE-based WDS or SCCM

          PXE = Preboot eXecution Environment (aka booting off the network)

          WDS = Windows Deployment Services (aka installing Windows from the network)

          SCCM = System something something Manager (google it! aka installing Windows and/or MSI software from the network).

          But, to be honest, if you don't know that, that's part of the problem!

          Basically, I press F12 when booting on a brand-new, fresh-disk machine (or an old dodgy one that has a software problem or needs updating), tell it to boot off the network instead of the local disk, and it then runs off and downloads, installs and sets up a Windows installation from nothing - including formatting disks, encrypting drives, joining the domain, installing software, etc.

          And generally speaking, 20 minutes later, you have a working, ready-to-log-into full desktop machine with all your software and configuration on it, built to the exact same standard image as every other machine built the same way.

          So when things mess up, catch viruses, have unexplained problems, lose their hard disk, or fresh machines come on site, you plug into the network, turn on, press F12 and twenty minutes later you have a room full of working systems indistinguishable from anything else you use on site, all ready for users to log onto.

          If you haven't done it, and you work in the Windows side of IT, you are honestly wasting SO MUCH TIME by not having it that I would question competency.

          Of course, other systems have equivalent services that do the same - I've done it for everything from DOS and Norton Ghost, to Linux via LTSP and/or Clonezilla imaging.

          1. Captain Scarlet

            Re: Just get into the habit of setting up PXE-based WDS or SCCM

            @Lee D

            Our outsourcer deploys machines via PXE, WDS, SCCM = 24 hours for us, lucky you for 20 mins :(

          2. sabroni Silver badge

            Re: wasting SO MUCH TIME by not having it that I would question competency.

            I'm a coder, not a sys admin, so it's not really a question of my competency, but thanks for the explanation.

        2. Anonymous Coward
          Pirate

          Re: Just get into the habit of setting up PXE-based WDS or SCCM

          >That's easy for you to say!

          >What does it mean?

          It means you're now expected to buy and manage another M$ computer - to babysit your existing M$ computer.

          Can't think why M$ would conspire to necessitate that.

          1. Stuart Castle Silver badge

            Re: Just get into the habit of setting up PXE-based WDS or SCCM

            "It means you're now expected to buy and manage another M$ computer - to babysit your existing M$ computer.

            Can't think why M$ would conspire to necessitate that."

            Because it's efficient, if set up properly. I realise there are open source systems that do the same as SCCM (in fact, I installed and use one at work), but one advantage that any paid for solution has over open source is that not only do you have a contract with your supplier that offers some protection should things go wrong, but you also get all sorts of other legal protection should things go wrong.

            Don't get me wrong. If you have only a few computers to deploy and manage (say less than 20), it's probably not worth investing the time and and manpower into setting up a deployment and management system.

            If you manage over 100, it is worth investing the time and manpower in setting up a deployment and management system, as just managing them becomes a full time job in it's own right, without the deployment and maintenance.

      3. Captain Scarlet

        Re: BITS is not "fooled"

        20 minutes, if only currently where I work our outsourcer takes around a day or more if disk encryption fails :(

      4. Anonymous Coward
        Anonymous Coward

        Re: BITS is not "fooled"

        There come a point when your IT service provider's help desk monkeys do this without making any effort to work out or record what's going on. If they applied some thought perhaps the cause of the most common issues could be identified and stopped. No records, no identified trends, just them seeming to meet their SLA. I know "write a better SLA" but we didn't get invited to that meeting.

      5. Vic

        Re: BITS is not "fooled"

        Just get into the habit of setting up PXE-based WDS or SCCM and standardised images so you can just wipe out a machine with F12 and a password, and put it back to a known-good state

        That's all very well if you're in a sufficiently-organised situation, but that's not always the case.

        I frequently used to get called out to fix machines which were running LOB software. There were no install disks. There were no licence keys. Backups? You're having a laugh. So nuking it from orbit simply wasn't an option - they would have been unable to carry on working.

        Now it's all too easy to say that they brought it on themselves, etc. But that doesn't get the machine running again, and that's all they cared about. They'd accept the discussion afterwards about how to prevent such a problem in the future - but nothing ever sank in.

        I had hoped my (substantial) charges for a dung-out would be sufficient motivation to get things on an even keel later - this proved to be a forlorn hope.

        Vic.

  5. Mage Silver badge

    Windows Update

    It's so complicated and relies on so many services, that in normal circumstances are not needed by anything else. This was inevitable. Too much complexity = bigger attack surface

    1. sabroni Silver badge

      Re: Windows Update

      Hang on. This is a service designed to run downloads when the network isn't particularly busy. Rather than embed this behaviour into the multiple client services MS used one service. That is exactly how it should've been done, a download service that is used by the things that need downloads and aren't in a rush. Isn't this a mantra of the linux "do it properly" people? Do one thing well?

      Besides which, as this "exploit" requires Admin priveliges to get started, it's not an exploit at all. At least that's what I'm always told about Android and Linux "exploits".....

      1. Anonymous Coward
        Anonymous Coward

        Re: Windows Update

        "Hang on. This is a service designed to run downloads when the network isn't particularly busy."

        but the current user might be...

  6. Anonymous Coward
    Anonymous Coward

    BITS

    I wondered how long it would before BITS was compromised. Build a new PC but don't connect it to the internet either wireless or wired and before you know it, Windows updates are pending for installation.

    What's even more worrying is that I have just done a couple of Windows installations and have noticed that the country list has grown and yes, i've been using the same ISO for the last 3 years . It used to be page down then cursor down and as of lately it's page down then cursor down 4 times.

    All is not what it seems eh.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like