In context: Beginning with the nice previous NT 3.51 launched in 1995, Home windows has all the time included an extensible internet server referred to as Web Data Providers (IIS). Though not energetic by default, it will probably open the OS to exterior assaults like one lately found by Symantec.
Backdoor.Frebniis, or just Frebniis, is a stealthy new malware found by Symantec researchers that leverages a vulnerability in IIS to place a backdoor into Home windows internet servers. Unknown cyber-criminals have actively exploited targets in Taiwan. To contaminate a system, hackers first want entry to an IIS server. Symantec analysts have but to learn how the attackers gained preliminary entry.
Nonetheless, the internal workings of the malware are distinctive. Frebniis abuses a function referred to as Failed Request Occasion Buffering (FREB), which IIS makes use of to gather information and particulars about requests, together with the originating IP handle and port, HTTP headers with cookies, and many others. The collected information can later assist admins troubleshoot failed requests, discovering the explanations for particular HTTP standing codes. One other function, Failed Request Tracing (FRT), permits admins to find out why a connection request takes longer to course of than it ought to.
Frebniis first ensures that the FRT function is enabled after which accesses the IIS server course of reminiscence earlier than lastly hijacking the FREB code with the malicious iisfreb.dll module. The malware takes the place of the unique FREB file, so Frebniis can “stealthy” obtain and examine each HTTP request from the IIS server.
If a particular HTTP POST request is obtained, Frebniis decrypts and executes the backdoor’s unique .NET code injected into the FREB reminiscence. As soon as energetic in reminiscence, the backdoor can obtain distant instructions and even execute malicious code.
Distant execution is achieved by decoding any obtained string encoded in Base64, which the backdoor assumes is executable C# code, to run straight in reminiscence. This fashion, Frebniis avoids saving any information as an precise file on disk, working in a totally stealthy method.
Symantec notes that Frebniis is a comparatively distinctive HTTP-based backdoor not often seen within the wild. The malware has two hashes that earmark it for detection. The corporate advises having the newest virus and malware definitions within the Symantec (or every other) safety suite to dam Frebniis.