rvlsoft - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How is Windows BITS used to redownload malware after its removal?

Malicious Windows BITS tasks set up by attackers can reinfect systems even after the malware has been removed. Expert Nick Lewis explains how to locate and remove these tasks.

SecureWorks reported that malicious actors have been using Windows BITS to set up recurring malware downloads by...

leveraging its autorun capabilities to keep reinstalling the malicious code. In one instance, an infected system's initial malware was removed, but the malicious BITS tasks remained, causing malware to be redownloaded regularly. How does Windows BITS work, and what can security teams do to track down malicious BITS tasks and protect systems from abuse?

There are many places where malware can hide on Windows -- or MacOS or Linux -- and it is one of the difficulties encountered when manually removing malware from an infected computer. While it may be safest to reinstall the operating system of an infected computer, this isn't always done. If an IT security professional intends to manually clean a computer, he needs to check all of the common hiding places for malware, like the registry, DNS configuration, scheduled jobs, browser configurations and many other places, including Windows Background Intelligent Transfer Service (BITS) tasks.

Windows BITS works to download files using minimal resources and to automatically restart interrupted downloads. It is allowed through the Windows firewall and can also run a program when the download is completed. BITS tasks are logged in the Windows event log. It is used by Windows Update to download patches to install.

Security teams can track down malicious Windows BITS tasks by using the following commands as an administrative user:

  • For Windows 7: "bitsadmin /list /allusers /verbose"
  • For Windows 10 using Powershell: "Get-BitsTransfer"

This could be run locally, with the output being sent to a centralized location to check a large number of systems. Security managers therefore can regularly check to see if BITS tasks are being abused by threat actors.

But enterprises can first protect systems from Windows BITS task abuse by preventing malware from getting on the system and ensuring that administrative access is not gained by unauthorized users who would be able to use it to create malicious BITS jobs.

Next Steps

Learn about the improvements made to Windows Defender Advanced Threat Protection

Find out how to improve endpoint security with NAC and DLP

Discover how to deal with Windows 10 patch security issues

This was last published in November 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal