ESET researchers have discovered and analyzed a new server-side Trojan. This Trojan hijacks the reputation of compromised websites to manipulate search engine results. The Trojan is implemented as a malicious extension of the Internet Information Services (IIS) web server and is named IISerpent due to two features: it uses questionable techniques to manipulate search engine result pages (SERPs). I was. IISerpent operators use a variety of search engine optimization (SEO) techniques to help third-party website pages appear higher in search rankings. The third parties that maintain these websites may be paying this criminal organization.
IISerpent is implemented and configured as a malicious extension to IIS, Microsoft's web server software. As such, the malware can not only intercept all HTTP requests to websites hosted by compromised servers, but it can also modify the server's HTTP responses. In previous blogs, we have discussed IIS malware families such as IIStealer, which steals credit card information from e-commerce customers, and IISpy, which executes backdoor commands on compromised IIS servers.
Unlike these IIS malware families, IISerpent does not directly affect infected servers or users of the servers. In fact, the malware completely ignores all requests of legitimate users of compromised websites. IISerpent intercepts and parses all HTTP requests sent to compromised servers to search only for requests originating from specific search engine crawlers. As shown in Figure 1, IISerpent relays these requests to C&C servers (or using local configuration) to alter the content served to these crawlers.
Figure 1. How IISerpent works
What is the purpose of this scheme? Search engines regularly crawl the Internet, create an index (record) of all content on the Internet, build relevance between search terms and content, and use various algorithms to rank search results for specific search terms. Calculate
There are many legitimate ways to improve your page's visibility on search engine results pages, including buying ads and implementing search engine optimization (SEO) strategies. You can, but not all digital marketers follow the rules. Unethical SEO (formerly known as black hat SEO) is SEO that loads pages with irrelevant keywords or buys backlinks to boost a website's reputation. It refers to boosting techniques, but these techniques violate webmaster guidelines.
IISerpent's attack pattern employs these unethical SEO techniques. It can be described as an "SEO as a service scam" as it performs SEO scam techniques on compromised IIS servers for the benefit of third parties without the webmaster's consent. IISerpent operators utilize the following techniques to parasitize the rankings of websites compromised using this malware and boost the page ranking of third-party websites.
In the example scenario shown in Figure 2, an attacker used IISerpent to compromise a number of IIS servers and used the malware's capabilities to compromise all websites hosted by those servers. Insert a backlink. Websites from 1 to N are legitimate sites with high ratings. From the perspective of search engine crawlers, these websites all link to websites of the attacker's choosing, in this case fraudulent sites. As such, this scam site links with highly rated websites, which can make it appear popular and increase the search ranking of the page.
Figure 2. An example of how an SEO scam works
Please note that legitimate users accessing a compromised server will be served the requested content, and users and webmasters may not be aware that there is a problem with the server. This is what distinguishes IISerpent from other malware families that inject artificial backlinks into compromised sites. By acting as an extension to your server, IISerpent can provide modified information to search engine crawlers without interfering with content served to regular users (visible to all users, This is in contrast to malware that permanently modifies compromised websites by adding illegitimate backlinks.)
Of course, a compromised website hosted on a compromised IIS server cannot benefit from this scheme at all. On the contrary, deceiving search engine crawlers by displaying a website that is different than the one displayed to normal users is against webmaster guidelines and these websites are penalized by search engines and SEO stats may go down.
IISerpent is a native IIS module, implemented as a C++ DLL and configured in the %windir%system32\inetsrv\config\ApplicationHost.config file. This allows IISerpent to persist and execute commands. All IIS modules are loaded by the IIS worker process (w3wp.exe) and used to handle incoming HTTP requests.
It is unclear how the IISerpent malware operator first compromised the IIS server, but the need for administrator privileges to configure it as a native module of IIS narrows down the possible scenarios. can do. It may be caused by a weak or vulnerable web application or server configuration.
Like other IIS native modules, IISerpent exports a function called RegisterModule (see Figure 3). This function initializes the module. The malicious core functionality is hidden in event handlers, methods of a module class (inherited from CHttpModule) that are called on specific server events. Specifically, IISerpent's code class overrides the OnBeginRequest and OnSendResponse methods to ensure that when the IIS server begins processing a new HTTP request it receives and when it sends a response buffer, A handler for this malware is called.
Figure 3. DLL export with IISerpent
IISerpent parses incoming requests and uses complex configuration data to manipulate the content served to search engine crawlers. Detailed in Table 1, this configuration includes fields such as the redirect URL and the list of backlinks to insert. An attacker can view or update the malware configuration by specifying ?DisplayModuleConfig=1 or ?ReloadModuleConfig=1 as query parameters in the request URI, respectively, when making HTTP requests to the compromised IIS server.
When IISerpent receives an update request, it will send an HTTP GET request to this URL to retrieve the configuration from the C&C server. The value in http://sb.qrfy[.]net/mconfig/.xml was taken from the attacker's original request and is presumably used as the victim's identity. The libcurl library is used for network communication.
| Configuration fields | Comments |
|---|---|
| banip | List of IP addresses. The malware ignores HTTP requests for IP addresses on this list. |
| redirectreferer | Binary flag - Set to handle requests with the string spider, bot, baidu.com/ in the Referer header. increase. |
| onlymobilespider | Binary Flag - Set to only process crawler requests where the Referer header contains the string Android or AppleWebKit. |
| redirect | When these values are set, redirect all crawler requests to the configured URL via HTTP 301 responses. Redirect. |
| redirecturl | |
| proxy | If these values are set, search engine It forwards the crawler's requests to the C&C server and replaces the HTTP response with the retrieved data instead of redirecting the crawler directly to the malicious URL. |
| proxyurl | |
| proxymode | |
| folderlink | < td> If these values are set, add all of them as backlinks to the response of any HTTP request that contains the string spider or bot in the User-Agent header.|
| folderlinkcount | |
| folderlinkpath | |
| proxyfolder | < /tr>|
| locallink | |
| locallinkext | |
| locallinkfolder | |
| locallinkcount |
Table 1. Configuration fields used by IISerpent
IISerpent recognizes search engine crawler requests by parsing the User-Agent header and looking for specific substrings, as shown in Figure 4. If the redirecturl field is configured, the malware will set the Location header in the HTTP response and redirect all requests with the strings spider or bot in the User-Agent header to this URL. The HTTP status is set to 301 (“Moved Permanently”).
Figure 4. IISerpent parses the User-Agent header to recognize search engine crawler requests
When proxymode is set, instead of redirecting the crawler to a malicious URL, IISerpent will forward the crawler's request to the C&C server's proxyurl and replace the HTTP response body with the retrieved data. increase. This applies to all HTTP requests with spider, bot, or baidu.com/ in the Referer header. It may also apply to requests with the string Android or AppleWebKit in the Referer header. Additionally, the malware can be configured as follows:
Finally, IISerpent can have a pre-configured link list and add these links to the HTTP response body of search engine crawler requests. These links are added as HTML entities to the existing HTTP response body.
IISerpent is not the only malicious IIS module capable of SEO fraud. Six of the 14 malware families analyzed by ESET, described in the white paper Analyzing Native IIS Malware (English only), employed SEO fraud techniques. These malware families often bundle their SEO scam functionality with other malicious functionality, such as supporting backdoors or serving malicious content to legitimate users of your website. .
IISerpent was first detected in May 2021, but for SEO scams, the first attack case in 2019 was when Secpulse published an incident report in Chinese on a new malware affecting IIS servers. I was able to trace it back. IISerpent malware analysis and SEO fraud features are covered in the Group 9 category of the ESET whitepaper.
At ESET, we have analyzed various SEO scam malware families. The unethical SEO techniques used by these SEO scam malware are also diverse and target different search engine crawlers. Specified in plaintext (group 12 in the whitepaper, see Figure 5), specified as an encrypted list (group 9), retrieved on-the-fly by querying the DNS TXT record for the hostname of the C&C server There is a (group 11) technique to All these families are detected as Win32/BadIIS by ESET's security solutions.
Figure 5. Example string used by IIS malware to identify search engine crawler requests
For more information on these IIS malware families, see ESET's whitepaper.
IISerpent is a malicious IIS module with an unusual target and purpose, designed to assist in the operation of third-party websites to improve their search rankings. Designed. Legitimate users accessing the compromised server will not be affected, but it is possible that search results may be manipulated and monetized, so caution is required.
IISerpent doesn't just hijack the reputation of compromised websites. Websites that are subject to unethical SEO measures can be penalized by search engine algorithms, which is a problem that digital marketers cannot afford to ignore. The best way to prevent IISerpent (and other IIS malware) risks is to keep your IIS server up to date and be careful not to download IIS extensions from untrusted sources. In particular, be wary of modules that make impossible promises to magically improve search results. For additional protection, consider using a web application firewall or IIS server security solution.
See ESET's whitepaper and GitHub for additional risk mitigations and indicators of compromise.
This blog series features a series of threats detected by ESET researchers on IIS web servers. This is the final installment of the series. In Part 1 and Part 2, we discussed IIS malware that is being abused for cybercrime and cyberespionage. For more information on how to detect, analyze, and remove IIS malware, please refer to our in-depth white paper, Analyzing Native IIS Malware (English only). The whitepaper also details IISerpent (group 13).
ESET Detection Name
Win32/BadIIS.H
SHA-1
D0F274EBD2A0636FEF9D9C48A7AC2FAD7B661653
File name
stati.dll
Indicators of network compromise
URL query parameters ?DisplayModuleConfig=1?ReloadModuleConfig=1
C&C server
http://sb.qrfy[.]net
Note: This table was created using version 9 of the MITER ATT&CK framework.
| Method | ID | Name | Description |
|---|---|---|---|
| Resource Development | T1587.001 | Capability Development Malware | IISerpent is a uniquely created malware family. |
| Run | T1569.002 | System Services: Run Service | By the extension IISerpent , the IIS server resides as a Windows service. |
| Persistence | T1546 | Event-triggered execution | IISerpent makes IIS server is loaded by the IIS worker process (w3wp.exe) when a |
| C&C (Command & Control) | T1071.001 | Application Layer Protocol: Web Protocol | To manage the IISerpent, the attacker sends HTTP requests to the compromised IIS server with special query parameters. |
| Impacts | T1565.002 | Data Manipulation: Transmit Data Manipulation | IISerpent Alters the content served to search engine crawlers from compromised servers. |
![A workaround that can be used immediately after the iPhone 13 freezes (Lifehacker [Japan version]) --Yahoo! News](https://website-google-hk.oss-cn-hongkong.aliyuncs.com/drawing/article_results_7/2022/3/3/45e4bce7ecbeb696b3a7fb4669c70965_1.jpeg)
