How to protect hidden Windows services from attacks

Hiding in plain sight is the name of the malware game these days, which means everything is exploitable. The more hidden a piece of malware is, the harder security managers must work to find it, especially if it looks like legitimate Windows activity.

You might think you can tell the difference between benign and malicious Windows services, but some of these services are pretty obscure. The average Windows PC runs dozens of common services as part of its normal operations. Many security managers, let alone users, would be hard-pressed to name more than a couple without looking them up.

Consider two of the lesser known services: Windows address space layout randomization (ASLR) and the Windows background intelligent transfer service (BITS). You probably have never come across these, but they are being targeted more frequently by malware authors.

ASLR vulnerability

ASLR, which was introduced with Vista, helps prevent attacks that try to reuse code, known as a return-oriented programming attack. The irony is that a flaw in its own programming is being exploited. ASLR is part of Windows Defender but normally isn’t individually accessed for user functions.

Malware that hijacks ASLR can execute standard libraries and other sequences of code that serve up some legitimate function of the operating system and compromise an otherwise uninfected system. The malware can also be hidden in your desktop web browser or common operating system tools such as desktop applications. Since the ASLR code is already present in these OS functions, the malware author piggybacks on the routines and relies on the legitimate operations code that is already sitting in memory to do its job. The return object programming attack can be used for both good and evil purposes. It has been around for some time and is used in many modern operating systems, including macOS and Linux, which makes this kind of malware hard to detect.

The ASLR service loads various Windows modules at non-predictable addresses to try to make code reuse harder. The exploit takes advantage of a bug in its routines that makes for less randomized addresses than was initially thought. Once this exploit happens, remote attackers can control an affected system as if they were sitting at the keyboard. The vulnerability goes back to 2012 and Windows 8. If done properly, it can create a valuable point of entry for a piece of malware to access a corporate network and remain undetected for months.

Microsoft acknowledged this flaw, which was first discovered by a researcher working for the US-CERT. Microsoft has issued a recommended fix that involves changing a registry entry for how ASLR is implemented. Enterprise IT managers are urged to roll out this change across all their Windows systems. This change can be implemented via group policies.

BITS vulnerability

BITS was introduced many years ago with Windows XP and is now on its 10.1 version as part of the Windows Creator update package. It is used as the basis for the Windows Update service to transfer files between PCs. One of the reason for its usefulness is that it can keep track of how much of a file has already been transferred in case of interruptions. Other Windows apps and services can take advantage of its utility, and it has a series of command-line switches for its main executable file. 

The restart feature and these command-line switches make BITS a very attractive target that has since been exploited. A piece of malware called UBoatRAT is a remote executable Trojan. The UBoatRAT takes advantage of this command line to maintain persistence on a system and survive any reboot. In a nutshell, the malware regularly runs a BITS command to keep executing the Trojan to make sure the endpoint is infected. An interesting aspect of the UBoatRAT is that the malware becomes active only when a PC joins an Active Directory domain, so users who transport laptops from home to work networks could become the source of an infection.

The UBoatRAT author has taken some effort to hide the malware even further. The malware begins its life as a phished file attachment that loads from a shared Google Drive. Next, its command server is hosted on a GitHub project and the attachment is disguised as an Office document file. It also checks to see if the endpoint appears to be running as a virtual machine (VM) by looking for clues in its file system. If the Trojan detects a VM (which are often used by security researchers), it issues a fake error message and then quits. This is typical of modern malware that contains all sorts of checks and obfuscation methods. Like the ASLR exploit, this can be a very dangerous point of entry to a corporate network and it could remain undetected for months.

Security researchers have found more than a dozen samples of UBoatRAT, so while it isn’t exactly common, it appears to be under active development. Researchers have seen Korean-language game titles and company names that indicate the malware is targeting users in that part of the world at the moment.

Security managers who want to stay ahead of the latest attack vectors should do the following: First, tune defensive mechanisms to be on the lookout for these sorts of exploits, and don’t trust any Windows service implicitly. You can't afford a false sense of security when it comes to Windows services. Scan your network for downloads from Windows freeware sites because they may contain infected executables. Install advertising and pop-up blockers across browsers to further keep infected ads from your user base. Use automated Windows Update to keep systems current. Finally, periodically use Registry auditing tools such as Sysinternals Autoruns to examine any suspicious entries across your endpoints.

Protect hidden Windows services: Lessons for leaders

• Monitor for malware that targets obscure Windows services by persisting in-memory or makes use of functions to control Windows endpoints.
• Add the right policies and rules to examine persistent services to be sure defensive mechanisms such as firewalls and endpoint detection tools catch these situations.
• Keep Windows endpoints updated regularly with the latest patches.
• Audit your users’ registry entries regularly.