Data-stealing malware pretends to be Microsoft IIS server module

Most antivirus products aren't detecting the malware, called "INS"

Trustwave's SpiderLabs researchers have found a piece of malware that collects data entered into Web-based forms, pretending to be a module for Microsoft's Internet Information Services (IIS) web-hosting software.

The malware, which is dubbed "ISN," hasn't been widely seen, but its characteristics are interesting, wrote Josh Grunzweig, a Trustwave malware researcher, on a company blog.

ISN is a malicious DLL (dynamic link library), which is installed as a module for IIS, Grunzweig wrote. ISN's installer contains four versions of the DLL, one of which is served up depending on whether a victim uses the 32- or 64-bit version of IIS6 or IIS7+.

"This module is of particular concern as it is currently undetectable by almost all anti-virus products," Grunzweig wrote.

If ISN's installer is detected, it's usually through "general heuristic detection," Grunzweig wrote, which means security software is looking at aspects of it that are suspicious and flagging it, such as if it is sending data to another server.

"I'm using this post as a way of notifying anti-virus vendors so that specific detections for this malware may be written," he wrote, adding that he thinks the malware is "pretty neat."

ISN collects data from POST requests, Grunzweig wrote. The stolen information is lifted from within IIS itself, which circumvents encryption, and then sent elsewhere. The malicious module can be configured to monitor information from specific URIs (uniform resource identifier), he wrote.

The malware has so far been "seen targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance," he wrote.

"Overall, this malware does not appear to be widely spread and has only been seen in a few forensic case instances," Grunzweig wrote. "However, the extremely low detection rate in collaboration with the malware's targeted functionality makes this a very real threat."

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags trustwavesecurityExploits / vulnerabilitiesmalware

More about MicrosoftTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts