Stealthy malware discovered opening a backdoor into Windows web servers

In context: Starting with the good old NT 3.51 released in 1995, Windows has always included an extensible web server called Internet Information Services (IIS). Although it is not active by default, it can open the operating system to external attacks such as one recently discovered by Symantec.

Backdoor.Frebniis, or simply Frebniis, is a new stealthy malware discovered by Symantec researchers that exploits a vulnerability in IIS to place a backdoor into Windows web servers. Unknown cybercriminals have been actively exploiting targets in Taiwan. To infect a system, hackers first need to access an IIS server. Symantec analysts have yet to figure out how the attackers gained initial access.

However, the malware’s inner workings are unique. Frebniis abuses a feature known as Request Failed Event Buffering (FREB), which IIS uses to collect data and details about requests, including the source IP address and port, HTTP headers with cookies, and so on. The data collected can help administrators troubleshoot failed requests. , discovering the reasons for specific HTTP status codes. Another feature, failed request tracing (FRT), allows administrators to determine why a connection request is taking longer to process than it should.

Frebniis first makes sure that the FRT feature is enabled and then accesses the IIS server process memory before finally hijacking the FREB code with the malicious iisfreb.dll module. The malware takes the place of the original FREB file, so Frebniis can “stealthily” receive and inspect every HTTP request from the IIS server.

If a special HTTP POST request is received, Frebniis decrypts and executes the original backdoor .NET code injected into FREB memory. Once active in memory, the backdoor can receive remote commands or even execute malicious code.

Remote execution is accomplished by interpreting any received Base64-encoded string, which the backdoor assumes to be executable C# code, to execute directly in memory. In this way, Frebniis avoids saving any data as a real file on disk, working completely stealthily.

Symantec notes that Frebniis is a relatively unique HTTP-based backdoor that is rarely seen in the wild. The malware has two hashes that mark it for detection. The company recommends having the latest virus and malware definitions in Symantec’s (or any other) protection suite to block Frebniis.

Disclaimer: All the content or information on this article is given for only educational purposes.


Scroll to Top