This is not a good time
to be a Windows user but I hope you will all get used to it.
Researchers at Dell SecureWorks have spotted a new and dangerous way to misuse of Microsoft's Background Intelligent Transfer Service (BITS). While working on a customer clean-up project, SecureWorks staff found that attackers had created self-contained BITS tasks that didn't appear in the registries of affected machines, and …
Sure, that's the component that is actually downloading, but the malware needed full admin rights to get started. BITS was then "told" what to do and it went away and did it, as per design. I expect you could use the Task Scheduler in much the same way, or cron on a Linux box.
Surely the moral here is that once a machine has been compromised, the only way forward is to nuke it from orbit and start again.
Agreed.
There's a shocking culture in many smaller shops of just "cleaning off" machines and, if no obvious evidence is left, assuming the machine is clean.
Just get into the habit of setting up PXE-based WDS or SCCM and standardised images so you can just wipe out a machine with F12 and a password, and put it back to a known-good state. Then you can pull someone's infected machine, stick any replacement in its place, F12 it and in 20 minutes they are back up and running.
Meanwhile you take anything off the old drive and then just F12 that back in the IT office, ready to go back on the spares pile.
Anything else is really just asking for trouble.
Honestly, a couple of weeks of setup and testing, and then 20-minute rebuild times across any number of devices you like. And standardised images make things infinitely more simply to diagnose and resolve.
"Honestly, a couple of weeks of setup and testing, and then 20-minute rebuild times across any number of devices you like."
The sad thing is that these instructions are passed on as a recommended SOP without any sense that this should not be an acceptable state of affairs.
PXE = Preboot eXecution Environment (aka booting off the network)
WDS = Windows Deployment Services (aka installing Windows from the network)
SCCM = System something something Manager (google it! aka installing Windows and/or MSI software from the network).
But, to be honest, if you don't know that, that's part of the problem!
Basically, I press F12 when booting on a brand-new, fresh-disk machine (or an old dodgy one that has a software problem or needs updating), tell it to boot off the network instead of the local disk, and it then runs off and downloads, installs and sets up a Windows installation from nothing - including formatting disks, encrypting drives, joining the domain, installing software, etc.
And generally speaking, 20 minutes later, you have a working, ready-to-log-into full desktop machine with all your software and configuration on it, built to the exact same standard image as every other machine built the same way.
So when things mess up, catch viruses, have unexplained problems, lose their hard disk, or fresh machines come on site, you plug into the network, turn on, press F12 and twenty minutes later you have a room full of working systems indistinguishable from anything else you use on site, all ready for users to log onto.
If you haven't done it, and you work in the Windows side of IT, you are honestly wasting SO MUCH TIME by not having it that I would question competency.
Of course, other systems have equivalent services that do the same - I've done it for everything from DOS and Norton Ghost, to Linux via LTSP and/or Clonezilla imaging.
"It means you're now expected to buy and manage another M$ computer - to babysit your existing M$ computer.
Can't think why M$ would conspire to necessitate that."
Because it's efficient, if set up properly. I realise there are open source systems that do the same as SCCM (in fact, I installed and use one at work), but one advantage that any paid for solution has over open source is that not only do you have a contract with your supplier that offers some protection should things go wrong, but you also get all sorts of other legal protection should things go wrong.
Don't get me wrong. If you have only a few computers to deploy and manage (say less than 20), it's probably not worth investing the time and and manpower into setting up a deployment and management system.
If you manage over 100, it is worth investing the time and manpower in setting up a deployment and management system, as just managing them becomes a full time job in it's own right, without the deployment and maintenance.
There come a point when your IT service provider's help desk monkeys do this without making any effort to work out or record what's going on. If they applied some thought perhaps the cause of the most common issues could be identified and stopped. No records, no identified trends, just them seeming to meet their SLA. I know "write a better SLA" but we didn't get invited to that meeting.
Just get into the habit of setting up PXE-based WDS or SCCM and standardised images so you can just wipe out a machine with F12 and a password, and put it back to a known-good state
That's all very well if you're in a sufficiently-organised situation, but that's not always the case.
I frequently used to get called out to fix machines which were running LOB software. There were no install disks. There were no licence keys. Backups? You're having a laugh. So nuking it from orbit simply wasn't an option - they would have been unable to carry on working.
Now it's all too easy to say that they brought it on themselves, etc. But that doesn't get the machine running again, and that's all they cared about. They'd accept the discussion afterwards about how to prevent such a problem in the future - but nothing ever sank in.
I had hoped my (substantial) charges for a dung-out would be sufficient motivation to get things on an even keel later - this proved to be a forlorn hope.
Vic.
Hang on. This is a service designed to run downloads when the network isn't particularly busy. Rather than embed this behaviour into the multiple client services MS used one service. That is exactly how it should've been done, a download service that is used by the things that need downloads and aren't in a rush. Isn't this a mantra of the linux "do it properly" people? Do one thing well?
Besides which, as this "exploit" requires Admin priveliges to get started, it's not an exploit at all. At least that's what I'm always told about Android and Linux "exploits".....
I wondered how long it would before BITS was compromised. Build a new PC but don't connect it to the internet either wireless or wired and before you know it, Windows updates are pending for installation.
What's even more worrying is that I have just done a couple of Windows installations and have noticed that the country list has grown and yes, i've been using the same ISO for the last 3 years . It used to be page down then cursor down and as of lately it's page down then cursor down 4 times.
All is not what it seems eh.