BITS used as a covert channel

The idea to use BITS to download files from the internet is not new. If you check the corresponding page from Wikipedia, you will find that
Background Intelligent Transfer Service (BITS) is a component of modern Microsoft Windows operating systems that facilitates prioritized, throttled, and asynchronous transfer of files between machines using idle network bandwidth.
The web page ends with a list of third-party applications that use BITS. However, as any technical method, it can be used for evil purposes as well. Eric Landuyt analyzed a malware that exploits it for bad:
http://www.datarescue.com/laboratory/trojan2008/index.html
I liked the “proof of concept” WinDbg script that runs the malware in a controlled manner. Breakpoints with actions are very powerful, indeed.
Nice work, Eric!
This entry was posted in Decompilation. Bookmark the permalink.

One Response to BITS used as a covert channel