How is Windows BITS used to redownload malware after its removal?

SecureWorks reported that malicious actors have been using Windows BITS to set up recurring malware downloads by leveraging its autorun capabilities to keep reinstalling the malicious code. In one instance, an infected system's initial malware was removed, but the malicious BITS tasks remained, causing malware to be redownloaded regularly. How does Windows BITS work, and what can security teams do to track down malicious BITS tasks and protect systems from abuse?

There are many places where malware can hide on Windows -- or MacOS or Linux -- and it is one of the difficulties encountered when manually removing malware from an infected computer. While it may be safest to reinstall the operating system of an infected computer, this isn't always done. If an IT security professional intends to manually clean a computer, he needs to check all of the common hiding places for malware, like the registry, DNS configuration, scheduled jobs, browser configurations and many other places, including Windows Background Intelligent Transfer Service (BITS) tasks.

Windows BITS works to download files using minimal resources and to automatically restart interrupted downloads. It is allowed through the Windows firewall and can also run a program when the download is completed. BITS tasks are logged in the Windows event log. It is used by Windows Update to download patches to install.

Security teams can track down malicious Windows BITS tasks by using the following commands as an administrative user:

  • For Windows 7: "bitsadmin /list /allusers /verbose"
  • For Windows 10 using Powershell: "Get-BitsTransfer"

This could be run locally, with the output being sent to a centralized location to check a large number of systems. Security managers therefore can regularly check to see if BITS tasks are being abused by threat actors.

But enterprises can first protect systems from Windows BITS task abuse by preventing malware from getting on the system and ensuring that administrative access is not gained by unauthorized users who would be able to use it to create malicious BITS jobs.

Επιστροφή...

Update cookies preferences