Check your BITS, because deleting malware might not be enough

Attackers are abusing the Windows Background Intelligent Transfer Service (BITS) to re-infect computers with malware after they’ve been already cleaned by antivirus products.

The technique was observed in the wild last month by researchers from SecureWorks while responding to a malware incident for a customer. The antivirus software installed on a compromised computer detected and removed a malware program, but the computer was still showing signs of malicious activity at the network level.

Upon further investigation, the researchers found two rogue jobs registered in BITS, a Windows service that’s used by the OS and other apps to download updates or transfer files. The two malicious jobs periodically downloaded and attempted to reinstall the deleted malware.

To read this article in full or to leave a comment, please click here