{
	"id": "5723143e-ef47-41c1-8fe6-159715509b81",
	"created_at": "2026-04-06T00:19:56.855438Z",
	"updated_at": "2026-04-10T03:22:05.154951Z",
	"deleted_at": null,
	"sha1_hash": "07aaa9e822892d5bc890ece8bcca4e140ed14528",
	"title": "Malware piggybacks on Windows' Background Intelligent Transfer Service",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 33545,
	"plain_text": "Malware piggybacks on Windows' Background Intelligent Transfer\r\nService\r\nBy Matt Mondok\r\nPublished: 2007-05-11 · Archived: 2026-04-05 17:52:15 UTC\r\nWhen Windows Update downloads patches to a PC, it relies on a service called the Background Intelligent\r\nTransfer Service, or BITS. In a nutshell, BITS asynchronously downloads updates from Microsoft's servers while\r\nattempting to use as little bandwidth as possible. Besides downloading updates, it is also used to transfer files\r\nwithin Microsoft's messaging products.\r\nWhile the service is primarily used by Microsoft, it also exposes a COM application programming interface (API)\r\nfor programmers, and according to Elia Florio of the Symantec Security Response Weblog, hackers have started to\r\ntake advantage of the API.\r\nWhy does malware use BITS for downloading files? For one simple reason: BITS service is part of the\r\noperating system, so it’s trusted and bypasses the local firewall while downloading files. Malwares need\r\nto bypass local firewalls, but usually the most common methods found in real samples are intrusive,\r\nrequire process injection or may raise suspicious alarms.\r\nFlorio states that the Trojan known as \"Downloader\" currently uses BITS to attack Windows PCs. The malware\r\naccesses BITS with the CoCreateInstance() method, and it downloads files to the local PC using the CreateJob()\r\nand AddFile() methods.\r\nThough Symantec has known about the BITS exploit since it was first discussed on a Russian message board at\r\nthe end of 2006, the company did not see the technique being used in the wild until March of this year. Right now,\r\nthere's not much one can do to protect against the BITS attack except disable the service, but Symantec's Oliver\r\nFriedrichs claims that there is no need to worry about Windows Update being exploited. \"There's no evidence to\r\nsuspect that Windows Update can be compromised. If it has a weakness, someone would have found it by now.\"\r\nMicrosoft has yet to respond to the claims, but we should expect something to pop up on the Microsoft Security\r\nResponse Center blog shortly.\r\nSource: https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/\r\nhttps://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/"
	],
	"report_names": [
		"malware-piggybacks-on-windows-background-intelligent-transfer-service"
	],
	"threat_actors": [],
	"ts_created_at": 1775434796,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07aaa9e822892d5bc890ece8bcca4e140ed14528.pdf",
		"text": "https://archive.orkl.eu/07aaa9e822892d5bc890ece8bcca4e140ed14528.txt",
		"img": "https://archive.orkl.eu/07aaa9e822892d5bc890ece8bcca4e140ed14528.jpg"
	}
}