Black Hat

Getting to know IIS malware

IIS malware was first identified in 2013, but was most recently a component of the Halfnium Exchange campaign. ("Server room" by torkildr is licensed with CC BY-SA 2.0. To view a copy of this license, visit

IIS malware is not new. The first discovery of malware targeting Microsoft's Internet Information Services web server date back to 2013. The most explosive instance of IIS malware came this year, with the Hafnium Microsoft Exchange attacks. But, until now, there has not been a systematic study of IIS malware. Zuzana Hromcová, malware researcher with ESET, is looking to remedy that with her Wednesday Black Hat talk and corresponding white paper outlining the internals of an old but still emerging threat also being released Wednesday.

"If you're a reverse engineer, and you see this kind of malware, then you will have a hard time finding resources at the moment on how start to understand where to find that malicious functionality," said Hromcová, in an interview prior to the white paper's release.

The malware potential for IIS dates back to the days of Microsoft Vista, when Microsoft introduced the modular, extensible IIS 7.0. Making it easier to customize had a lot of advantages for customers, but it also created an extremely effective vector for hackers.

The white paper is 73 pages and covers a wide variety of ground. It contains technical details of how modules operate, case studies, and an analysis of 14 different malware families — 10 of which had not previously been reported.

Hromcová said IIS makes for a good target, because it offers the ability to observe traffic through the server and impact requests. Its use can be adapted to anything from reading email to use as a proxy to anonymize other attacks to stealing credit card information.

"It's actually very diverse. We have seen malware used for cybercrime, for cyber espionage, and for cyber fraud," she said.

Hromcová thinks IIS malware should be a concern not only for malware researchers but also for e-commerce websites and network defenders. The former, she said, might protect customers by using payment gateways, putting the onus of defense on a payment processor, or emphasizing HTTPS whenever possible. The latter could make sure the only people who can install modules have administrative rights and make sure all modules are properly signed.

prestitial ad