Malware spotted using BITS

BITS (Background Intelligent Transfer Service) is a nifty little file transfer service built in to Windows which enables file transfers to take place in the background without having any impact on the network bandwidth available to other processes. This is the service used by Windows Update to silently bring down patches without diminishing the users overall experience. BITS has some interesting features:

  • BITS continues to transfer files after an application exits if the user who initiated the transfer remains logged on and a network connection is maintained. BITS will not force a connection.
  • BITS suspends the transfer if a connection is lost or if the user logs off. BITS persists transfer information while the user is logged off, across network disconnects, and during computer restarts.
  • When the user logs on again, BITS resumes the user's transfer job.

Another interesting thing about BITS is that because downloads are being performed 'by Windows' it bypasses local firewalls!

The BBC reports that security expert Frank Boldewin recently discovered an email trojan using BITS to download a second stage payload. It has long been predicted that BITS would be used for malicious purposes and this method of download has been well documented in the underground.

Microsoft have commented on the news pointing out that the transport mechanism in use is irrelevant. In order for this problem to exist a person must first become infected with malware—something which should be avoided in the first place.

Editor's Picks