Stealthy malware that opens a backdoor into Windows web servers discovered

In context: Beginning with the great previous NT 3.51 launched in 1995, Home windows has at all times included an extensible net server known as Web Data Providers (IIS). Though not lively by default, it may open the OS to exterior assaults like one lately found by Symantec.

Backdoor.Frebniis, or just Frebniis, is a stealthy new malware found by Symantec researchers that leverages a vulnerability in IIS to place a backdoor into Home windows net servers. Unknown cyber-criminals have actively exploited targets in Taiwan. To contaminate a system, hackers first want entry to an IIS server. Symantec analysts have but to learn the way the attackers gained preliminary entry.

Nevertheless, the interior workings of the malware are distinctive. Frebniis abuses a characteristic referred to as Failed Request Occasion Buffering (FREB), which IIS makes use of to gather knowledge and particulars about requests, together with the originating IP tackle and port, HTTP headers with cookies, and so on. The collected knowledge can later assist admins troubleshoot failed requests, discovering the explanations for particular HTTP standing codes. One other characteristic, Failed Request Tracing (FRT), permits admins to find out why a connection request takes longer to course of than it ought to.

Frebniis first ensures that the FRT characteristic is enabled after which accesses the IIS server course of reminiscence earlier than lastly hijacking the FREB code with the malicious iisfreb.dll module. The malware takes the place of the unique FREB file, so Frebniis can “stealthy” obtain and examine each HTTP request from the IIS server.

If a particular HTTP POST request is obtained, Frebniis decrypts and executes the backdoor’s authentic .NET code injected into the FREB reminiscence. As soon as lively in reminiscence, the backdoor can obtain distant instructions and even execute malicious code.

Distant execution is achieved by decoding any obtained string encoded in Base64, which the backdoor assumes is executable C# code, to run straight in reminiscence. This fashion, Frebniis avoids saving any knowledge as an precise file on disk, working in a very stealthy method.

Symantec notes that Frebniis is a comparatively distinctive HTTP-based backdoor hardly ever seen within the wild. The malware has two hashes that earmark it for detection. The corporate advises having the most recent virus and malware definitions within the Symantec (or every other) safety suite to dam Frebniis.