Have you ever heard of IIS malware? It’s not a common term that most people are familiar with, but it is not new. Cybercriminals have been exploiting the IIS web server software for Windows since 2013. Now, IIS backdoors are being deployed via the recent Microsoft Exchange pre-authentication Remote Code Execution (RCE) vulnerability chain.
To find out more, CSA spoke with Zuzana Hromcova, Malware Researcher at ESET, about the IIS malware and how it should be included in the threat model, especially since IIS backdoors are being deployed with government institutions as targets.
But First, What is IIS Malware?
IIS stands for Internet Information Services. It is a Microsoft Windows web server software with an extensible, modular architecture that, since v7.0, supports two types of extensions – native (C++ DLL) and managed (.NET assembly) modules.
According to Zuzana, IIS threats are written and implemented as extensions for the Windows web server software – which means that this malware can see any data being processed by the server. As a result, threat actors have an advantage in this situation because they can access any communication flowing through the server.
“This means that they can read all the incoming HTTP requests and affect what kind of HTTP response is served. These two so-called “superpowers”, where they can read and affect that communication, means that they can perform all kinds of activities such as stealing credit card information that flows through e-commerce websites through these transactions,” said Zuzana.
It is a common standard to use HTTPS to transmit this kind of data and SSL will help in protecting it; however, the data processed will be in an unencrypted state once it is on the server.
Whether your company does e-commerce or other types of business, Zuzana pointed out that these websites don't always have control over the server where these services are hosted. As a result, if the server is compromised, your customers' data is at risk.
This has sparked the importance of understanding this malware to protect organisations worldwide, as there are more people online now. In the video below, Zuzana explains the implications of an IIS malware attack on businesses and why organisations need to be aware of such a threat.
IIS Malware - A Growing Security Concern
Now, how does IIS stack up against other malware? Technically, it is the same as any other malware. There should be no problem if a company has a security solution integrated into its system to detect malware. However, the problem is that not all IIS servers have any security installed.
“A lot of web server administrators, in general, don’t use any security solutions and that’s a real issue because that helps the attackers to stay undercover for a longer period of time,” explained Zuzana.
To solve this issue, it is important for businesses not to overlook the security of their servers. It is just as vital as endpoint security, where companies are generally spending a lot more resources to protect. Zuzana explained that once infected with IIS malware, it involves a lengthy process to identify and remediate a successful compromise. In order to prevent the worst, she shared several practical steps that need to be taken:
For IIS server administration, use dedicated accounts with strong, unique passwords. Multifactor Authentication (MFA) should be required for these accounts. Also, keep an eye on how these accounts are being used.
To reduce the risk of server exploitation, patch your OS on a regular basis and carefully consider which services are exposed to the internet.
Consider using a web application firewall and/or endpoint security solution on your IIS server.
Native IIS modules have unrestricted access to all server worker process resources; you should only install native IIS modules from trusted sources to avoid downloading trojanised versions. Be wary of modules that promise too-good-to-be-true benefits, such as magically improving SEO.
Check the IIS server configuration on a regular basis to ensure that all native modules installed are legitimate (signed by a trusted provider, or installed on purpose).
For those who are interested, Zuzana also shared an ESET whitepaper that provides a comprehensive guide to help defenders detect, dissect and mitigate this class of server-side threats.
ESET’s Role in Combatting IIS Malware
Due to the lack of public report or guidelines regarding this malware, that’s where ESET come in to fill that gap.
ESET has conducted research and analysed over 80 unique malicious IIS modules. Throughout the research, they have categorised them into 14 malware families and found 10 of them to have never been scrutinised or documented.
Hence, ESET's first approach was to document these threats and publish a comprehensive guide on IIS malware for those that want to learn more about the malware families in depth. Not only that, but they also share useful resources with the community, such as the YARA rules and Indicator of Compromise (IoCs), to raise awareness about malware.
“On the technical side, which maybe you were also wondering, will ESET’s security solutions detect all of these threats? If you use ESET’s security solution, then these threats can be detected by running Win32/BadIIS.F and Win64/BadIIS.U [programming codes]. So definitely all our customers are defended against this threat,” Zuzana concludes.