ESET researchers have discovered and analyzed a new server-side Trojan. The Trojan hijacks the reputation of compromised websites and manipulates search engine results. The Trojan was named IISerpent because it was implemented as a malicious extension of an Internet Information Services (IIS) Web server and used a dubious technique to manipulate search engine results pages (SERPs). I did. IISerpent operators use a variety of search engine optimization (SEO) techniques to get higher search rankings on third-party website pages. The third party that controls these websites may be paying this criminal organization.
IISerpent is implemented and configured as a malicious extension to IIS, Microsoft's web server software. As a result, the malware can not only intercept all HTTP requests to websites hosted by compromised servers, but can also modify the server's HTTP response. In the blogs I've serialized so far, I've talked about IIS malware families that steal credit card information from customers on e-commerce sites, and IIS malware families such as IISpy that execute backdoor commands on compromised IIS servers.
Unlike these IIS malware families, IISerpent has no direct impact on infected servers or server users. In fact, the malware completely ignores all requests from legitimate users of compromised websites. IISerpent intercepts and parses all HTTP requests sent to the compromised server and searches only for requests originating from a particular search engine crawler. As shown in Figure 1, II Serpent relays these requests to the C & C server (or using a local configuration) to modify the content provided to these crawlers.
Figure 1. How II Serpent works
What is the purpose of this mechanism? Search engines regularly crawl the Internet, index (records) all content on the net, build relationships between search words and content, and use various algorithms to rank search results for specific search words. Is calculated.
There are many legitimate ways to get your page ranked higher on search engine results pages, such as buying ads or embracing search engine optimization (SEO) strategies. , Not all digital marketers adhere to the rules. Unethical SEO (formerly known as Black Hat SEO) is SEO that loads pages with unrelated keywords or buys backlinks to improve your website's reputation. Refers to boost techniques, but these techniques violate webmaster guidelines.
The IISerpent attack pattern employs these unethical SEO techniques. It can be described as "SEO fraud as a service" because it runs SEO fraud techniques on the compromised IIS server for the benefit of a third party without the consent of the webmaster. IISerpent operators use the following techniques to parasitize the rankings of compromised websites using this malware and improve the page search rankings of third-party websites.
In the example scenario shown in Figure 2, an attacker uses IISerpent to compromise a large number of IIS servers and use the malware's capabilities to inbound links to all websites hosted by these servers. Insert. Websites 1 to N are highly rated and legitimate sites. From the perspective of search engine crawlers, all of these websites link to the website of the attacker's choice (in this case, a fraudulent site). As a result, this fraudulent site links to highly rated websites, which can make it appear popular and increase your page's search ranking.
Figure 2. Example of how SEO fraud works
Note that legitimate users who access a compromised server will be served the requested content, and users and webmasters may not be aware that there is a problem with the server. This is what makes IISerpent different from other malware families that artificially insert backlinks into compromised sites. By acting as a server extension, IISerpent can provide search engine crawlers with modified information without interfering with the content provided to regular users (as it is visible to all users). This is in contrast to malware that adds malicious backlinks to permanently fix compromised websites).
Of course, websites hosted and abused on compromised IIS servers will not benefit from this scheme at all. On the contrary, deceiving search engine crawlers by displaying websites that are different from what normal users see is a violation of webmaster guidelines, and these websites are penalized by search engines and SEO. It is also possible that your statistics will drop.
IISerpent is a native module of IIS, implemented as a C ++ DLL, and consists of the% windir% system32 \ inetsrv \ config \ ApplicationHost.config file. This allows IISerpent to become resident and execute commands. All IIS modules are loaded by the IIS worker process (w3wp.exe) and used to process incoming HTTP requests.
It is unclear how the IISerpent malware operator first breaks into the IIS server, but since it requires administrator privileges to configure it as a native module of IIS, it is possible to narrow down the possible scenarios. increase. It may be due to a weakness or vulnerability in the configuration of the web application or server.
Like any other IIS native module, IISerpent exports a function called RegisterModule (see Figure 3). This function initializes the module. The malicious core functionality is hidden in the event handler, which is a method of the module class (inherited from CHttpModule) that is called in a particular server event. Specifically, the IISerpent code class overrides the OnBeginRequest and OnSendResponse methods, which ensures that the IIS server starts processing a new HTTP request and sends a response buffer. The handler for this malware will be called.
Figure 3. DLL export with II Serpent
IISerpent analyzes incoming requests and uses complex configuration data to manipulate the content provided to search engine crawlers. Details are given in Table 1, but this configuration includes fields such as redirect URLs and a list of backlinks to insert. An attacker can view or update the malware configuration by specifying? DisplayModuleConfig = 1 or? ReloadModuleConfig = 1 as query parameters in the request URI when sending an HTTP request to the compromised IIS server.
When IISerpent receives an update request, it sends an HTTP GET request to this URL to get the configuration from the C & C server. The value at http://sb.qrfy[.]net/mconfig/.xml was taken from the attacker's original request and is probably used as the victim's ID. The libcurl library is used for network communication.
Configuration field | comment |
---|---|
banip | A list of IP addresses. The malware ignores HTTP requests for IP addresses in this list. |
redirectreferer | Binary flag --Set when processing requests that contain the string spider, bot, baidu.com/ in the Referer header. |
onlymobilespider | Binary flag --Set to handle only crawler requests that contain the string Android or Apple WebKit in the Referer header. |
redirect | If these values are set, redirect all crawler requests to the configured URL via an HTTP 301 response. |
redirecturl | |
proxy | If these values are set, it forwards the search engine crawler's request to the C & C server and replaces the crawler with the retrieved data instead of redirecting it directly to a malicious URL. |
proxyurl | |
proxymode | |
folderlink | If these values are set, add all of these values as backlinks to the response of HTTP requests that contain the string spider or bot in the User-Agent header. |
folderlinkcount | |
folderlinkpath | |
proxyfolder | |
locallink | |
locallinkext | |
locallinkfolder | |
locallinkcount |
Table 1. Configuration fields used by II Serpent
IISerpent parses the User-Agent header to find a specific substring, as shown in Figure 4, and recognizes the search engine crawler's request. If the redirecturl field is configured, the malware sets the Location header in the HTTP response to redirect all requests that contain the string spider or bot in the User-Agent header to this URL. The HTTP status is set to 301 (“Moved Permanently”).
Figure 4. IISerpent parses the User-Agent header to recognize search engine crawler requests.
When proxymode is set, II Serpent will forward the crawler's request to the C & C server's proxyurl and replace the HTTP response body with the retrieved data, rather than redirecting the crawler to a malicious URL. This applies to all HTTP requests that contain spiders, bots and baidu.com/ in the Referer header. It may also apply to requests that contain the string Android or Apple WebKit in the Referer header. In addition, this malware can be configured as follows:
Finally, IISerpent can have a preconfigured list of links, and you can add these links to the HTTP response body of search engine crawler requests. These links are added as HTML entities to the existing HTTP response body.
IISerpent is not the only malicious IIS module with SEO fraud capabilities. Six of the 14 malware families analyzed by ESET, described in the white paper "Analyzing Native IIS Malware" (English only), adopted SEO fraud techniques. In these malware families, SEO scam features are often bundled with other malicious features, such as backdoor support and providing malicious content to legitimate users of your website. ..
IISerpent was first detected in May 2021, but SEO scams go back to the first attack in 2019 when Secpulse published an incident report in Chinese about new malware affecting IIS servers. I was able to track it. The features of IISerpent malware analysis and SEO scams are described in the Group 9 category of the ESET white paper.
ESET has analyzed various SEO fraudulent malware families. The unethical SEO techniques used by these SEO fraudulent malware are also diverse and target different search engine crawlers. Specify in clear text (Group 12 of the white paper, see Figure 5), specify as an encrypted list (Group 9), query the DNS TXT record of the C & C server's host name and retrieve it on the fly (group 12). Group 11) There is a method. All of these families are detected as Win32 / BadIIS by ESET security solutions.
Figure 5. An example of a string used by IIS malware to identify a search engine crawler request.
For more information on these IIS malware families, please refer to the ESET white paper.
IISerpent is an unusually targeted and purposeful malicious IIS module designed to assist operations in order to improve the search ranking of third-party websites. It does not affect legitimate users who access the compromised server, but it should be noted that search results may be manipulated and monetized.
IISerpent does more than just hijack the reputation of compromised websites. Websites that are subject to unethical SEO measures can be penalized by search engine algorithms, which is a problem that digital marketers cannot afford to leave. The best way to prevent the risk of IISerpent (and other IIS malware) is to keep your IIS server up to date and be careful not to download IIS extensions from untrusted sources. Pay particular attention to modules that make improbable promises, such as magically improving search results. For even better protection, consider using a web application firewall or IIS server security solution.
See ESET's white paper and GitHub for other risk mitigations and breach indicators.
This blog series will feature a range of threats detected by ESET researchers on IIS web servers. This is the final episode of the series. In the first and second installments, we described IIS malware being used in cybercrime and cyber espionage activities. For more information on how to detect, analyze, and remove IIS malware, see the detailed white paper Analyzing Native IIS Malware. The white paper also details II Serpent (Group 13).
ESET detection name
Win32 / BadIIS.H
SHA-1
D0F274EBD2A0636FEF9D9C48A7AC2FAD7B661653
file name
stati.dll
Traces of network breach
URL query parameters? DisplayModuleConfig = 1? ReloadModuleConfig = 1
C & C server
http://sb.qrfy [.] net
Note: This table was created using version 9 of the MITER ATT & CK framework.
Method | ID | name | explanation |
---|---|---|---|
Resource development | T1587.001 | Capability development malware | IISerpent is a uniquely created malware family. |
execution | T1569.002 | System service: Execution of service | With the extension IISerpent, the IIS server resides as a Windows service. |
Resident | T1546 | Execution by event trigger | IISerpent is loaded by the IIS worker process (w3wp.exe) when the IIS server receives an HTTP request. |
C & C (command & control) | T1071.001 | Application Layer Protocol: Web Protocol | The attacker sends an HTTP request with special query parameters to the compromised IIS server to manage IISerpent. |
Impact | T1565.002 | Manipulating data: Manipulating transmitted data | IISerpent modifies the content provided by the compromised server to search engine crawlers. |
Navigation Lists
Summary of attack SEO scam Technical analysis Other malware to note Conclusion Traces of security breaches (IoC) MITER's ATT & CK methodCategory
Related Articles
Hot Articles
Tags