SecureWorks reported that malicious actors have been using Windows BITS to set up recurring malware downloads by...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
leveraging its autorun capabilities to keep reinstalling the malicious code. In one instance, an infected system's initial malware was removed, but the malicious BITS tasks remained, causing malware to be redownloaded regularly. How does Windows BITS work, and what can security teams do to track down malicious BITS tasks and protect systems from abuse?
There are many places where malware can hide on Windows -- or MacOS or Linux -- and it is one of the difficulties encountered when manually removing malware from an infected computer. While it may be safest to reinstall the operating system of an infected computer, this isn't always done. If an IT security professional intends to manually clean a computer, he needs to check all of the common hiding places for malware, like the registry, DNS configuration, scheduled jobs, browser configurations and many other places, including Windows Background Intelligent Transfer Service (BITS) tasks.
Windows BITS works to download files using minimal resources and to automatically restart interrupted downloads. It is allowed through the Windows firewall and can also run a program when the download is completed. BITS tasks are logged in the Windows event log. It is used by Windows Update to download patches to install.
Security teams can track down malicious Windows BITS tasks by using the following commands as an administrative user:
- For Windows 7: "bitsadmin /list /allusers /verbose"
- For Windows 10 using Powershell: "Get-BitsTransfer"
This could be run locally, with the output being sent to a centralized location to check a large number of systems. Security managers therefore can regularly check to see if BITS tasks are being abused by threat actors.
But enterprises can first protect systems from Windows BITS task abuse by preventing malware from getting on the system and ensuring that administrative access is not gained by unauthorized users who would be able to use it to create malicious BITS jobs.
Learn about the improvements made to Windows Defender Advanced Threat Protection
Find out how to improve endpoint security with NAC and DLP
Discover how to deal with Windows 10 patch security issues
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
A Gmail phishing attack brought users to fake login pages designed to look like Google's. Expert Nick Lewis explains how users can prevent similar ...continue reading
A HummingBad malware variant, HummingWhale, was discovered being spread through 20 apps on the Google Play Store. Expert Nick Lewis explains the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.