Newly discovered cyber-espionage malware abuses Windows BITS service

[notabot]

Dev will be fastest on Linux. Then again I don't know. It depends upon what you're doing and the size of what you're doing.

If even a 1 minute or less doesn't work for you, then the best bet is to just use a separate machine if you can manage it.

1 min switching time (as it’s a cost to pay for each start of the dev env) is a lot to pay in productivity . Thought about the two machine setup (for separate purposes) but will be as inconvenient, Ie when I travel I can’t take 2 laptops with me.

Think for my usecase a suite with a good BB is the only good solution - but I’ll wait a bit to see if WSL 2 solves all this

 

[93803123]

1 min switching time (as it’s a cost to pay for each start of the dev env) is a lot to pay in productivity . Thought about the two machine setup (for separate purposes) but will be as inconvenient, Ie when I travel I can’t take 2 laptops with me.

Think for my usecase a suite with a good BB is the only good solution - but I’ll wait a bit to see if WSL 2 solves all this

Do you have an SSD or HDD ?

 

[notabot]

Do you have an SSD or HDD ?

SSD

 

[93803123]

SSD

If you are coding then you can try a cloud IDE.

 

[notabot]

If you are coding then you can try a cloud IDE.

Can't use that offline, ie when travelling, though

 

[Andy Ful]

Docker is always up as docker desktop, updating it (with admin rights) won't work unless I disable (max) SRP and other restrictions at H_C (ie WSH), maybe disabling all is not required but I lack the free time to find the minimal set.

Good luck with finding the solution.
Just remember in the case of failure, that a pretty good solution is already known, if you will change a little your habits and find a little time to adjust it to your needs.

Edit.
I did not try Docker, but it should be possible to run it with Admin rights via scheduled task. In this way, it should update while bypassing SRP.
Sorry for somewhat off-topic posts - but SRP is really good against abusing BITS and it can be useful for safely blocking LOLBins. It just requires some time for learning how to adjust the setup to the concrete needs.

 

[Vasudev]

BITS service is set to manual by default and temporarily can be set to Automatic (Delayed Start, Running) when needed. Anyway, this does not prevent the malware (no elevation required) in any way to download payloads when using bitsadmin.exe in command-line or BitsTransfer cmdlet in PowerShell.

Well, that sucks. So that means any apps that use BITS example Visual studio updates and etc... might be attacked with fake installer that abuse BITS to serve malwares.

 

[93803123]

Well, that sucks. So that means any apps that use BITS example Visual studio updates and etc... might be attacked with fake installer that abuse BITS to serve malwares.

Possible.

About as likely as Sweden invading Finnland.