« The IDA Pro book | Main | Bochs Emulator and IDA? »

BITS used as a covert channel

The idea to use BITS to download files from the internet is not new. If you check the corresponding page from Wikipedia, you will find that

Background Intelligent Transfer Service (BITS) is a component of modern Microsoft Windows operating systems that facilitates prioritized, throttled, and asynchronous transfer of files between machines using idle network bandwidth.

The web page ends with a list of third-party applications that use BITS. However, as any technical method, it can be used for evil purposes as well. Eric Landuyt analyzed a malware that exploits it for bad:

http://www.datarescue.com/laboratory/trojan2008/index.html

I liked the "proof of concept" WinDbg script that runs the malware in a controlled manner. Breakpoints with actions are very powerful, indeed.

Nice work, Eric!

Posted by Ilfak Guilfanov on September 25, 2008 11:12 PM |

Comments

Some extra links:

New Attack Piggybacks on Microsoft's Patch Service
http://blog.washingtonpost.com/securityfix/2007/05/malware_using_microsoft_patch.html

Malware Update with Windows Update
https://forums.symantec.com/syment/blog/article?message.uid=306452

BITS downloader source code:
http://www.reconstructer.org/code/bitscode.zip

Posted by: An | September 26, 2008 01:24 AM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)