Internet Information Services (IIS) is Microsoft web server software for Windows with an extensible, modular architecture. It is not unknown for threat actors to misuse this extensibility to intercept or modify network traffic – the first known case of IIS malware targeting payment information from e-commerce sites was reported in 2013.

Fast-forward to March 2021, and IIS backdoors are being deployed via the recent Microsoft Exchange pre-authentication RCE vulnerability chain, with government institutions among the targets. As they implement OWA via IIS, Exchange email servers are particularly interesting targets for IIS malware.

IIS malware should be in the threat model, especially for servers with no security products. Despite this, no comprehensive guide has been published on the topic of its detection, analysis, mitigation and remediation.

In this presentation, we fill that gap by systematically documenting the current landscape of IIS malware, focusing on native IIS modules (implemented as C++ libraries). Based on our analysis of 14 malware families – 10 of them newly reported – we break down the anatomy of native IIS malware, extract its common features and document real-world cases, supported by our full-internet scan for compromised servers.

We walk the audience through the essentials of reverse-engineering native IIS malware: dissecting its architecture, module classes, RegisterModule entry point, request-processing pipeline hooks and malicious event handlers. We discuss parsing and processing HTTP requests, modifying responses and clearing logs.

We don't focus on any single threat actor, malware family or campaign, but rather on the whole class of IIS threats – ranging from traffic redirectors to backdoors. We cover curious schemes to boost third-party SEO by misusing compromised servers, and IIS proxies turning the servers into a part of C&C infrastructure.

Finally, we will share some hands-on knowledge on how best to kick-start an analysis, test out the malware’s functionalities, and search for more breeds of native IIS malware.

Got a question about this presentation? During the live broadcast post your question in the #q-and-a channel on Discord or, to get in touch with the speaker later, find Zuzana on Discord under the nickname Zuzana (ESET) or contact her on Twitter at @zuzana_hromcova.