A malicious DLL installed as an Microsoft IIS module has been showing up online and it is currently undetectable by almost all anti-virus products, according to a report from the SpiderLabs team at security provider Trustwave.
According to SpiderLabs’ Josh Grunzweig, the malware known as “ISN” is used by attackers to target sensitive information in POST requests, and it has mechanisms for unauthorized data retrieval from the affected server. ISN is able to circumvent encryption because it extracts this data from IIS itself.
SpiderLabs has seen this tactic used to target credit card data on e-commerce sites, but it also expects it could be used to steal logins, or any other sensitive information sent to a compromised IIS instance.
According to Grunzweig, no anti-virus software can detect IIS modules dropped by this malware. But ISN’s installer could potentially be detected through “general heuristic detection,” which looks for and flags suspicious activities such as the transfer of data to another server. Trustwave’s WebDefend and ModSecurity, for instance, are able to both block the initial point of infection for this malware and detect whether sensitive user data such as credit card numbers appear in outbound data.
While the number of instances of ISN remain very low, Grunzweig notes that “the extremely low detection rate in collaboration with the malware’s targeted functionality makes this a very real threat.” And one for which web hosts should be prepared.