Security researchers recently had to cope with a huge number of malware attacks targeting the Internet Information Services (IIS) component. The IISerpent Trojan is the most recent malware family to be added to the list.
The malware is installed as a Microsoft IIS add-on. After that, it intercepts HTTP requests and traffic, but there's a catch. This IIS malware works differently than other IIS malware that leverages this opportunity to steal credentials and private data, such as the IISpy Backdoor. It only gets to work if it recognizes requests to specific search engines, rather than ordinary HTTP traffic. Search engines have crawlers that scour the Web for pages to index or re-index on a regular basis. It is possible for pages on the same domain to link to one another. Crawlers utilize specific algorithms to determine a page's search engine ranking.
Buying adverts or implementing search engine optimization (SEO) strategies are two valid ways to improve page ranking in search engine result pages, however not all digital marketers follow the laws. SEO-boosting practices (which, however, contravene webmaster guidelines) such as loading pages with unrelated keywords or buying backlinks to improve a website's reputation are referred to as unethical SEO (historically known as black hat SEO).
IISerpent is a native IIS module, implemented as a C++ DLL and configured in the %windir%\system32\inetsrv\config\ApplicationHost.config file. IISerpent ensures both persistence and execution because all IIS modules are loaded by the IIS Worker Processes (w3wp.exe) and used to handle inbound HTTP requests.
IISerpent exports a function called RegisterModule, which provides module initialization, just like all native IIS modules. Its event handlers — methods of the module class (inherited from CHttpModule) that are called on certain server events – hide the underlying harmful functionality. IISerpent's code class alters the IIS server's OnBeginRequest and OnSendResponse methods, causing the malware's handlers to be called every time the IIS server begins processing a new inbound HTTP request and transmits the response buffer.
Because everything appears normal to the webmaster and users - all the 'magic' happens in the background – these assaults are extremely difficult to detect. Of course, a short glance at a backlink analysis or network traffic data will suggest that something is amiss.
The worst thing about the IISerpent Trojan's attack is that the websites that are attacked could lose their good SEO ranking. This is possible because search engine crawlers will quickly notice the link between the original page and the counterfeit website, which will usually result in SEO penalties.
