Search This Blog

Showing posts with label MalwareTech. Show all posts

Hackers Exploit Windows BITS Feature To Launch Malware Attack

Microsoft released the BITS (Background Intelligent Transfer Service) in Windows XP to coordinate and ease uploading and downloading files with large size. Systems and applications component, specifically update in Windows, use this BITS feature to provide application updates and OS so that they can work in minimal user disruption. BITS interact with applications to make jobs with one or more application to download or upload. The BITS feature operates in service and it can make transfers happen at any time. A local database stores file, state and job info.  

How the hackers exploit BITS?

The BITS, like every other technology, is used by applications and exploited by hackers. When harmful apps make BITS jobs, the files are uploaded and downloaded in the service host process context. This helps hackers to avoid firewall detection that may stop suspicious or unusual activities, allowing the attacker to hide the application that requests the transfer. Besides this, the transfers in BITS can be scheduled for later, which allows them to happen at given times, saving the hacker from depending on task-scheduler or long-running processes. 

Transfers in BITS are asynchronous, resulting in a situation where the apps that made jobs may not be working after the transfers that are requested are complete. Addressing this situation, these jobs in BITS can be made through a notification command that is user-specific. The command can be used in case of errors or after a job is complete. The BITS jobs linked with this notification command may authorize any command or executable to run. The hackers have exploited this feature and used it as a technique for continuously launching harmful applications.  

For BITS jobs, the command data is stored in a database rather than the traditional directory register, this helps hackers as the tools that are used to identify persistent executables or commands by unknown actors may overlook it. The jobs in BITS can be made using the BITS-admin command lines tool or via API functions.  Cybersecurity firm FireEye reports, "the Background Intelligent Transfer Service continues to provide utility to applications and attackers alike. The BITS QMGR database can present a useful source of data in an investigation or hunting operation. BitsParser may be utilized with other forensic tools to develop a detailed view of attacker activity." 

WannaCry hero pleads guilty to malware charges

Marcus Hutchins who authors the popular blog MalwareTech, the famous British cybersecurity expert credited with stopping the WannaCry attack in 2017, now faces up to 10 years in prison after pleading guilty on Monday to writing malware to steal banking information in the years prior to his prodigious career as a malware researcher.

Hutchins stated on his website that he has "pleaded guilty to two charges related to writing malware" and added that he now regrets those actions.

Marcus posted a statement on his website and on his Twitter feed too, “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins is a rare talent who has since fallen from the heights of his reputation, after having been associated with multiple malware developments and ransomware cases, as well as lying to the FBI.

Federal prosecutors in Wisconsin and Marcus Hutchins’ attorneys said in a joint court filing Friday that the 24-year-old agreed to plead guilty to developing malware called Kronos and conspiring to distribute it from 2012 to 2015. In exchange for his plea to those charges, prosecutors dismissed eight more.

Marcus was virtually unknown to most in the security community until May 2017 when the UK media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before. Hutchins’ arrest in Las Vegas in August 2017, as he was about to board a flight to England, came as a shock. At the time, he told The Associated Press in an interview that he didn’t consider himself a hero but that he was combating malware because “it’s the right thing to do.”

According to security experts, the malware could have infected many more systems worldwide had Hutchins not stemmed the spread of the infection after a spotting a weakness in WannaCry's code. 

Hutchins could receive a more lenient sentence for accepting responsibility, the court filing said. Attorneys said Hutchins understands he could be deported. The sentencing has not been scheduled.