How criminals are using Windows Background Intelligent Transfer Service

In the last few months, cybercrime gangs have abused the Windows Background Intelligent Transfer Service (BITS) in malware as a way of masquerading their operations.

In this article, we are going to learn about BITS, Malware is using the BITS feature for nefarious reasons, but there are ways to prevent and detect scenarios of this nature.

What is Windows Background Intelligent Transfer Service?

BITS is a service available on Windows operating system and the default way through which Microsoft sends Windows updates to users all over the world. Applications and system components, including Windows Update, use BITS to deliver operating system and application updates so they can be downloaded with minimal disruption.

Figure 1: BITS service and its configuration (automatic mode).

BITS works based on jobs with one or more files to download and upload depending on the number of applications it interacts with. The BITS service runs in a service host process and it can schedule transfers such as the well-known Windows Updates. Information on the jobs, files and states is stored in a local database (BITS QMGR).

How criminals are using BITS

The massive usage of BITS in the wild by criminal groups is not new.

Read More: