When computer programmers and OS designers introduce newfunctionalities in their products, they should always consider “Who isgoing to use this?”. Sometimes solutions created for legitimatepurposes may turn into dangerous weapons if used in a bad way.Alternate Data Streams (ADS) and Encrypted File System (EFS) are justtwo well-known examples of good technologies used by malware such asBackdoor.Rustock and Trojan.Linkoptimizer (more here about this topic).
Today the list of good technologies used for bad purposes has a new entry.
In the past week I’ve been discussing with a friend (Frank Boldewin)a curious technique used to download malicious files on a system. Frankanalyzed one of the recent Trojans spammed by e-mail in Germany duringthe end of March, 2007 and he figured out that the Trojan (detected asDownloader) was using an interesting technique to download files whichinvolves a Windows component named “BITS” (Background IntelligentTransfer Service) . BITS is the main service used by Windows Update todownload patches and keep the operating system updated. From Wikipedia:
Background Intelligent Transfer Service (BITS) is acomponent of modern Microsoft Windows operating systems thatfacilitates the transfer of files between machines. It is most commonlyused by recent versions of Windows Update, Windows Server UpdateServices, and Systems Management Server to deliver software updates toclients, and is also used by Microsoft instant messaging products totransfer files.
It’s an asynchronous download service that runs in the backgroundand downloads patches, updates and other files without consumingnetwork bandwidth. It’s a very nice component and if you consider thatit supports HTTP and can be programmed via COM API, it’s the perfecttool to make Windows download anything you want. Unfortunately, thiscan also include malicious files.
Why does malware use BITS for downloading files? For one simplereason: BITS service is part of the operating system, so it’s trustedand bypasses the local firewall while downloading files. Malwares needto bypass local firewalls but, usually the most common methods found inreal samples are intrusive, require process injection or may raisesuspicious alarms. The most common methods are:
- - run a continuous thread which sends “Yes, accept” messages tothe firewall window, which warn users about strange network connections
- - shut down firewall service/kill firewall processes
- - inject malicious code into Internet Explorer or Svchostprocesses, which are usually in the trusted applications list of thefirewall
- - patch network drivers to disable firewall filtering
Using BITS to download malicious files is a clever trick because itbypasses local firewalls, as the download is performed by Windowsitself, and does not require suspicious actions for process injection.In fact, the malicious Downloader sample in this case gets access tothe BITS component via the COM interface with CoCreateInsance(), and ituses CreateJob() and AddFile() methods to configure the file todownload and the destination path.
At the moment there’s no immediate workaround against this type ofattack. It’s not easy to check what BITS should download and notdownload. Probably the BITS interface should be designed to beaccessible only with a higher level of privilege, or the download jobscreated with BITS should be restricted to only trusted URLs.
It’s worth mentioning that the BITS download method was alreadywell-documented in the underground and was posted as an “antifirewallloader” example on a Russian forum during the end of 2006.
Many thanks to Frank Boldewin for reporting this.