SecureWorks reported that malicious actors have been using Windows BITS to set up recurring malware downloads by...
leveraging its autorun capabilities to keep reinstalling the malicious code. In one instance, an infected system's initial malware was removed, but the malicious BITS tasks remained, causing malware to be redownloaded regularly. How does Windows BITS work, and what can security teams do to track down malicious BITS tasks and protect systems from abuse?
There are many places where malware can hide on Windows -- or MacOS or Linux -- and it is one of the difficulties encountered when manually removing malware from an infected computer. While it may be safest to reinstall the operating system of an infected computer, this isn't always done. If an IT security professional intends to manually clean a computer, he needs to check all of the common hiding places for malware, like the registry, DNS configuration, scheduled jobs, browser configurations and many other places, including Windows Background Intelligent Transfer Service (BITS) tasks.
Windows BITS works to download files using minimal resources and to automatically restart interrupted downloads. It is allowed through the Windows firewall and can also run a program when the download is completed. BITS tasks are logged in the Windows event log. It is used by Windows Update to download patches to install.
Security teams can track down malicious Windows BITS tasks by using the following commands as an administrative user:
- For Windows 7: "bitsadmin /list /allusers /verbose"
- For Windows 10 using Powershell: "Get-BitsTransfer"
This could be run locally, with the output being sent to a centralized location to check a large number of systems. Security managers therefore can regularly check to see if BITS tasks are being abused by threat actors.
But enterprises can first protect systems from Windows BITS task abuse by preventing malware from getting on the system and ensuring that administrative access is not gained by unauthorized users who would be able to use it to create malicious BITS jobs.
Learn about the improvements made to Windows Defender Advanced Threat Protection
Find out how to improve endpoint security with NAC and DLP
Discover how to deal with Windows 10 patch security issues
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and ...continue reading
Exaspy spyware, which can access messages, video chats and more, was found on Android devices owned by executives. Expert Nick Lewis explains how ...continue reading
The Nemucod downloader malware is being spread through Facebook Messenger disguised as an image file. Expert Nick Lewis explains the available ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.