The SpiderLabs team at Trustwave, a security provider, reported that a malicious DLL installed as an Microsoft IIS module has been showing up online and it is currently undetectable by most anti-virus tools, according to an article published on the Web Host Industry Review web site.
Josh Grunzweig of SpiderLabs advised that malicious software of this type (known as “ISN”) is “used by attackers to target sensitive information in POST requests, and it has mechanisms for unauthorized data retrieval from the affected server”, according to the article.
“ISN is able to circumvent encryption because it extracts this data from IIS itself“, the article continues.
The article states that this process has been observed before and is a familiar tactic according to SpiderLabs. They have seen this used on e-commerce sites to target credit card data, but they also predict that it could be used to steal log in credentials, or private information “sent to a compromised IIS instance”, as the article confirms. Grunzweig suggests, as quoted in the article, “No anti-virus software can detect IIS modules dropped by this malware. But ISN’s installer could potentially be detected through ‘general heuristic detection’ which looks for and flags suspicious activities such as the transfer of data to another server.”
Grunzweig adds, “the extremely low detection rate in collaboration with the malware’s targeted functionality makes this a very real threat”, according to the article. He feels that this threat is “one for which web hosts should be prepared.”