December 23, 2024

Malware Dons Disguise as Microsoft IIS Module

Posted on December 13, 2013 by in Security

Researchers for Trustwave’s SpiderLabs have turned the flood lights on malware disguised as a module for Microsoft’s Internet Information Services (IIS) software.

According to Trustwave, the malware is manually installed by attackers after they have compromised a web server. Known as ISN, the malware is used by attackers to target sensitive information in POST requests, and has data exfiltration capabilities in its arsenal, blogged Trustwave’s Josh Grunzweig.

“Encryption is circumvented as the malware extracts this data from IIS itself,” he blogged. “This was seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance.”

The installer has four embedded DLLs that are dropped depending on the victim, the researcher continued. Specifically, there are IIS modules for IIS 32-bit; IIS 64-bit; IIS 7+ 32-bit and IIS7+ 64-bit. The malware also has a VBS file embedded as a PE resource that is used to install or remove the DLLs as an IIS module.

“Once the module is successfully installed, it will monitor the URIs specified in the configuration file and dump any POST requests encountered to the ‘[filename].log’ file,” according to Grunzweig. “The module will also monitor the QUERY_STRING parameter, and can accept a number of commands. I’ve setup a simple IIS instance to demonstrate how this process takes place.”

“Overall, this malware does not appear to be widely spread and has only been seen in a few forensic case instances,” Grunzwieg noted. “However, the extremely low detection rate in collaboration with the malware’s targeted functionality makes this a very real threat.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

Microsoft Disrupts ZeroAccess Botnet

Posted on December 9, 2013 by in Security

Late last week, Microsoft announced it had struck a blow against the ZeroAccess botnet in a joint operation with law enforcement and technology company A10 Networks.

But while the effort may have started a ten-count, some say the botnet was far from knocked out.

The takedown operation disrupted a botnet that is held responsible for infecting more than two million computers by targeting search results on Google, Bing and Yahoo search engines and costing online advertisers $ 2.7 million a month. The botnet hijacks people’s search engine results and redirects them to sites they had not intended to go to in order to commit click fraud. ZeroAccess relies on a peer-to-peer infrastructure that allows cybercriminals to control it remotely through tens of thousands of different computers.

ZeroAccess Botnet TakedownTo combat the situation, Microsoft recently filed a civil suit against the people behind the botnet and received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit fraud. In addition, Microsoft took control of 49 domains associated with ZeroAccess, while A10 Networks provided Microsoft with advanced technology to support the disruptive action.

However, Microsoft’s work comes up short. In a joint blog post, Yacin Nadji, a Ph.D. Candidate at Georgia Institute of Technology, and Damballa Chief Scientist Manos Antonakakis noted that any meaningful action against ZeroAccess must disrupt its peer-to-peer (P2P) communications channel.

“Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations,” they noted. “This extensive legal work can be undone in a matter of hours.”

According to a report, the operators did push out a configuration file to infected systems to bring the click fraud network back online, but the within a few hours the servers were back offline.

Fears about click fraud led to the Interactive Advertising Bureau (IAB) recently issuing a set of best practices designed to help publishers, networks and buyers reduce the risk of fraud on the Internet.

“The companies that participate in the digital advertising supply chain have been struggling with how to handle criminal enterprises intent on gaming the system,” said Steve Sullivan, vice president of advertising technology for IAB, in a statement. “These fraudsters are diluting the value of all legitimate inventory while simultaneously diminishing the integrity of the entire digital marketing industry. The introduction of these best practices is a first step in reducing the marketplace repercussions of these illegal activities.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed