Unexpected Lateral Movement via Windows Delivery Optimization Service
A coworker noticed my computer generating large volumes of traffic on port 7680, prompting an investigation that revealed the svchost.exe process running the default Windows Delivery Optimization Service—intended for LAN‑based Windows Update—mimicking lateral‑movement behavior, which I stopped by disabling the feature.
One morning at work a colleague whispered that my computer might be compromised.
“Xuan, is your computer infected?”
He explained that the network analysis platform XXX showed my IP making massive requests to other machines, resembling lateral movement.
Using XXX I confirmed that my IP and many hosts in the same subnet repeatedly opened connections on port 7680, and other hosts were also connecting to my machine.
Process Explorer revealed the listening process (PID 5952) was an svchost.exe instance. The service description was "Delivery Optimization Service" (执行内容传递优化服务).
Microsoft documentation shows this service is used for Windows Update delivery over LAN, using port 7680. It is enabled by default, which can appear similar to malware behavior. I disabled the feature to stop the unexpected traffic.
Java Tech Enthusiast
Sharing computer programming language knowledge, focusing on Java fundamentals, data structures, related tools, Spring Cloud, IntelliJ IDEA... Book giveaways, red‑packet rewards and other perks await!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.