HomeTECHNOLOGYStealthy malware that opens a backdoor into Windows web servers discovered

Stealthy malware that opens a backdoor into Windows web servers discovered


Related stories

Explore 101Desires.com for the Pinnacle of Technical Updates

Unlock the full potential of Google Workspace with 101Desires.com...

TrendzGuruji.me Cyber: Empowering Your Digital Fortress for Unbeatable Cyber Resilience in 2024

TrendzGuruji.me Cyber is a fast-growing platform that's changing the...

Terry Lee Flenory Age, Life, and Other Interesting Facts (2023)

Detroit, Michigan native Terry Lee Flenory is a successful...

The SWGoH Web Store: Your Path to Galactic Domination (Updated 2023)

Star Wars: Galaxy of Heroes, also known as SWGoH,...

Emma Argues with Principal Figgins: A Clash of Wills

Introduction Emma had always been a diligent student, dedicated to...


In context: Starting with the good old NT 3.51 released in 1995, Windows has always included an extensible web server called Internet Information Services (IIS). Although not active by default, it can open the OS to external attacks like one recently discovered by Symantec.

Backdoor.Frebniis, or simply Frebniis, is a stealthy new malware discovered by Symantec researchers that leverages a vulnerability in IIS to put a backdoor into Windows web servers. Unknown cyber-criminals have actively exploited targets in Taiwan. To infect a system, hackers first need access to an IIS server. Symantec analysts have yet to find out how the attackers gained initial access.

However, the inner workings of the malware are unique. Frebniis abuses a feature known as Failed Request Event Buffering (FREB), which IIS uses to collect data and details about requests, including the originating IP address and port, HTTP headers with cookies, etc. The collected data can later help admins troubleshoot failed requests, discovering the reasons for specific HTTP status codes. Another feature, Failed Request Tracing (FRT), allows admins to determine why a connection request takes longer to process than it should.

Frebniis first ensures that the FRT feature is enabled and then accesses the IIS server process memory before finally hijacking the FREB code with the malicious iisfreb.dll module. The malware takes the place of the original FREB file, so Frebniis can “stealthy” receive and inspect every HTTP request from the IIS server.

If a special HTTP POST request is received, Frebniis decrypts and executes the backdoor’s original .NET code injected into the FREB memory. Once active in memory, the backdoor can receive remote commands or even execute malicious code.

Remote execution is achieved by interpreting any received string encoded in Base64, which the backdoor assumes is executable C# code, to run straight in memory. This way, Frebniis avoids saving any data as an actual file on disk, working in a completely stealthy manner.

Symantec notes that Frebniis is a relatively unique HTTP-based backdoor rarely seen in the wild. The malware has two hashes that earmark it for detection. The company advises having the latest virus and malware definitions in the Symantec (or any other) protection suite to block Frebniis.


Source link


- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories