- Jul 27, 2015
Researchers have discovered a clever piece of malware that stealthily exfiltrates data and executes malicious code from Windows systems by abusing a feature in Microsoft Internet Information Services (IIS).
IIS is a general-purpose web server that runs on Windows devices. As a web server, it accepts requests from remote clients and returns the appropriate response. In July 2021, network intelligence company Netcraft said there were 51.6 million instances of IIS spread across 13.5 million unique domains. IIS offers a feature called Failed Request Event Buffering that collects metrics and other data about web requests received from remote clients. Client IP addresses and port and HTTP headers with cookies are two examples of the data that can be collected. FREB helps administrators troubleshoot failed web requests by retrieving ones meeting certain criteria from a buffer and writing them to disk. The mechanism can help determine the cause of 401 or 404 errors or isolate the cause of stalled or aborted requests.
Criminal hackers have figured out how to abuse this FREB feature to smuggle and execute malicious code into protected regions of an already compromised network. The hackers can also use FREB to exfiltrate data from the same protected regions. Because the technique blends in with legitimate web requests, it provides a stealthy way to further burrow into the compromised network. The post-exploit malware that makes this possible has been dubbed Frebniis by researchers from Symantec, who reported on its use on Thursday. Frebniis first ensures FREB is enabled and then hijacks its execution by injecting malicious code into the IIS process memory and causing it to run. Once the code is in place, Frebniis can inspect all HTTP requests received by the IIS server. “By hijacking and modifying IIS web server code, Frebniis is able to intercept the regular flow of HTTP request handling and look for specially formatted HTTP requests,” Symantec researchers wrote. “These requests allow remote code execution and proxying to internal systems in a stealthy manner. No files or suspicious processes will be running on the system, making Frebniis a relatively unique and rare type of HTTP backdoor seen in the wild.”
Before Frebniis can work, an attacker must first hack the Windows system running the IIS server. Symantec researchers have yet to determine how Frebniis does this.
Researchers unearth Windows backdoor that’s unusually stealthy
Frebniis abuses Microsoft IIS to smuggle malicious commands in web traffic.