Stealthy malware that opens a backdoor into Windows web servers discovered

In context: Starting with the good old NT 3.51 released in 1995, Windows has always included an extensible web server called Internet Information Services (IIS). Although not active by default, it can open the OS to external attacks like one recently discovered by Symantec.

Backdoor.Frebniis, or simply Frebniis, is a stealthy new malware discovered by Symantec researchers that leverages a vulnerability in IIS to put a backdoor into Windows web servers. Unknown cyber-criminals have actively exploited targets in Taiwan. To infect a system, hackers first need access to an IIS server. Symantec analysts have yet to find out how the attackers gained initial access.

However, the inner workings of the malware are unique. Frebniis abuses a feature known as Failed Request Event Buffering (FREB), which IIS uses to collect data and details about requests, including the originating IP address and port, HTTP headers with cookies, etc. The collected data can later help admins troubleshoot failed requests, discovering the reasons for specific HTTP status codes. Another feature, Failed Request Tracing (FRT), allows admins to determine why a connection request takes longer to process than it should.

Frebniis first ensures that the FRT feature is enabled and then accesses the IIS server process memory before finally hijacking the FREB code with the malicious iisfreb.dll module. The malware takes the place of the original FREB file, so Frebniis can “stealthy” receive and inspect every HTTP request from the IIS server.

If a special HTTP POST request is received, Frebniis decrypts and executes the backdoor’s original .NET code injected into the FREB memory. Once active in memory, the backdoor can receive remote commands or even execute malicious code.

Remote execution is achieved by interpreting any received string encoded in Base64, which the backdoor assumes is executable C# code, to run straight in memory. This way, Frebniis avoids saving any data as an actual file on disk, working in a completely stealthy manner.

Symantec notes that Frebniis is a relatively unique HTTP-based backdoor rarely seen in the wild. The malware has two hashes that earmark it for detection. The company advises having the latest virus and malware definitions in the Symantec (or any other) protection suite to block Frebniis.