
In context: Beginning with the previous NT 3.51 launch in 1995, Windows has included an extensible Web server referred to as Internet Information Services (IIS). Although not energetic by default, it could actually expose the working system to exterior assaults, corresponding to one lately found by Symantec.
Backdoor.Frebniis, or just Frebniis, is a stealthy new malware found by Symantec researchers that exploits a vulnerability in IIS to put a backdoor in Windows net servers. Unknown cybercriminals actively exploit Taiwan targets. To infect a system, hackers first want entry to an IIS server. Symantec analysts haven’t but recognized how the attackers gained preliminary entry.
However, the internal workings of this malware are distinctive. Frebniis abused a function referred to as Failed Request Event Buffering (FREB), which IIS makes use of to assemble information and particulars about requests, together with origin IP deal with and port, HTTP headers with cookies, and extra. The collected information can later assist directors troubleshoot failed requests and uncover the reason for particular HTTP standing codes. Another function, Failed Request Tracking (FRT), permits directors to find out why connection requests are taking longer to course of than they need to.
Frebniis first ensures that the FRT function is enabled, then accesses the IIS server course of reminiscence, and eventually makes use of the malicious iisfreb.dll module to hijack the FREB code. The malware replaces the unique FREB file in order that Frebniis can “covertly” obtain and examine each HTTP request from the IIS server.
If a particular HTTP POST request is acquired, Frebniis decrypts and executes the unique .NET code of the backdoor injected into FREB reminiscence. Once energetic in reminiscence, the backdoor can obtain distant instructions and even execute malicious code.
Remote execution is achieved by decoding any acquired Base64-encoded string because the backdoor assumes it’s executable C# code to run straight in reminiscence. In this fashion, Frebniis avoids saving any information as precise information on disk, working in full stealth.
Symantec famous that Frebniis is a comparatively distinctive HTTP-based backdoor that’s hardly ever seen within the wild. The malware has two hashes that flag it for detection. The firm recommends utilizing the most recent virus and malware definitions in your Symantec (or another) safety suite to dam Frebniis.