In CEH v13 Malware Threats, BITS is highlighted as a legitimate Windows service frequently abused by attackers for stealthy command-and-control (C2) communication and data exfiltration. BITS is designed to transfer files in the background using idle bandwidth, primarily for Windows Updates and Microsoft services.
Attackers exploit BITS because its traffic closely resembles legitimate Windows update traffic, which is almost always allowed through firewalls, proxies, and endpoint security controls. This makes malicious traffic blend seamlessly into normal network activity, significantly reducing the likelihood of detection.
Option C correctly captures this behavior. BITS does not rely on IP fragmentation (Option A), DNS encryption (Option B), or exclusive HTTP tunneling (Option D). Instead, it leverages trusted system behavior and signed binaries, allowing malware to “live off the land.”
CEH v13 stresses that abuse of trusted services like BITS is a hallmark of advanced persistent threats (APTs) and fileless malware. Detecting such abuse typically requires behavioral monitoring rather than signature-based detection.
Thus, Option C is correct.
