SecureWorks reported that malicious actors have been using Windows BITS to set up recurring malware downloads by...
leveraging its autorun capabilities to keep reinstalling the malicious code. In one instance, an infected system's initial malware was removed, but the malicious BITS tasks remained, causing malware to be redownloaded regularly. How does Windows BITS work, and what can security teams do to track down malicious BITS tasks and protect systems from abuse?
There are many places where malware can hide on Windows -- or MacOS or Linux -- and it is one of the difficulties encountered when manually removing malware from an infected computer. While it may be safest to reinstall the operating system of an infected computer, this isn't always done. If an IT security professional intends to manually clean a computer, he needs to check all of the common hiding places for malware, like the registry, DNS configuration, scheduled jobs, browser configurations and many other places, including Windows Background Intelligent Transfer Service (BITS) tasks.
Windows BITS works to download files using minimal resources and to automatically restart interrupted downloads. It is allowed through the Windows firewall and can also run a program when the download is completed. BITS tasks are logged in the Windows event log. It is used by Windows Update to download patches to install.
Security teams can track down malicious Windows BITS tasks by using the following commands as an administrative user:
- For Windows 7: "bitsadmin /list /allusers /verbose"
- For Windows 10 using Powershell: "Get-BitsTransfer"
This could be run locally, with the output being sent to a centralized location to check a large number of systems. Security managers therefore can regularly check to see if BITS tasks are being abused by threat actors.
But enterprises can first protect systems from Windows BITS task abuse by preventing malware from getting on the system and ensuring that administrative access is not gained by unauthorized users who would be able to use it to create malicious BITS jobs.
Learn about the improvements made to Windows Defender Advanced Threat Protection
Find out how to improve endpoint security with NAC and DLP
Discover how to deal with Windows 10 patch security issues
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
A new remote access Trojan called UBoatRAT was found spreading via Google services and GitHub. Learn how spotting command-and-control systems can ... Continue Reading
CyberArk researchers created an attack called Golden SAML that uses Mimikatz techniques and applied it to a federated environment. Learn more about ... Continue Reading
The use of botnets to spread Scarab ransomware intensifies the threat for enterprises. Discover the best way to respond to such a threat and protect ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.