Anatomy of Native IIS Malware

Presented at Black Hat USA 2021, Aug. 4, 2021, 1:30 p.m. (40 minutes)

Internet Information Services (IIS) is Microsoft web server software for Windows with an extensible, modular architecture. It is not unknown for threat actors to misuse this extensibility to intercept or modify network traffic – IIS malware targeting payment information from e-commerce sites was first reported in 2013.<br><br>Fast-forward to 2021, and IIS backdoors are being deployed via the recent Microsoft Exchange pre-authentication RCE vulnerability chain, with government institutions among the targets. As they implement OWA via IIS, Exchange email servers are particularly interesting targets for IIS malware.<br><br>IIS malware should be in the threat model, especially for servers with no security products, yet no comprehensive guide has been published on the topic of its detection, analysis, mitigation and remediation.<br><br>In this session, we fill that gap by systematically documenting the current landscape of IIS malware, focusing on native IIS modules (implemented as C++ libraries). Based on our analysis of 14 malware families – 10 of them newly reported – we break down the anatomy of native IIS malware, extract its common features and document real-world cases, supported by our full-internet scan for compromised servers.<br><br>We walk through the essentials of reverse-engineering native IIS malware: dissecting its architecture, module classes, RegisterModule entry-point, request-processing pipeline hooks and malicious event handlers. We discuss parsing and processing HTTP requests, modifying responses and clearing logs.<br><br>We don't focus on any single threat actor, malware family or campaign, but rather on the whole class of IIS threats – ranging from traffic redirectors to backdoors. We cover curious schemes to boost third-party SEO by misusing compromised servers, and IIS proxies turning the servers into a part of C&C infrastructure.<br><br>We finish with a live demo showcasing interactions between a compromised server and attacker, and practical steps that defenders can take – using IIS server tools – to identify and remediate a successful compromise.

Presenters:

• Zuzana Hromcová - Malware Researcher, ESET   as Zuzana Hromcova
  Zuzana Hromcova is a Malware Researcher at ESET, specializing in targeted threats. She holds a master's degree in computer science, with a focus in cybersecurity, from Comenius University in Bratislava. Hromcova previously presented her research at security conferences such as BlueHat IL and Virus Bulletin.

Links:

• https://www.blackhat.com/us-21/briefings/schedule/#anatomy-of-native-iis-malware-23395

Similar Presentations:

• Black Hat USA 2022 / Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS
• Black Hat Asia 2021 Virtual / Give Me a SQL Injection, I Shall PWN IIS and SQL Server
• Black Hat USA 1999 / Security Issues with configuring and maintaining an IIS 4 server