Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

IISerpent: Malware‑driven SEO fraud as a service

August 12, 2021

The final in our sequence on IIS threats introduces a malicious IIS extension used to control web page rankings for third-party web sites

ESET researchers have found and analyzed a beforehand undocumented server-side trojan that manipulates search engine outcomes by hijacking the fame of the web sites it compromises. We named the trojan IISerpent to focus on its two foremost options: being carried out as a malicious extension for Web Info Companies (IIS) internet server, and utilizing shady strategies to control search engine outcome pages (SERPs). IISerpent’s operators use a wide range of strategies for SEO (Web optimization), in an try to enhance web page rating for third-party web sites – seemingly the paying prospects of those criminals.

This blogpost is the final installment in our sequence the place ESET researchers put IIS internet server threats below the microscope – the earlier components focus on IIS malware used for cybercrime and cyberespionage. For a complete information on how one can detect, analyze and take away IIS malware, discuss with our white paper Anatomy of native IIS malware, the place IISerpent is featured as one of many studied households (Group 13).

Assault overview

IISerpent is carried out, and configured, as a malicious extension for IIS – Microsoft’s internet server software program. That permits the malware to intercept all HTTP requests made to the web sites hosted by the compromised server, but in addition to actively change the server’s HTTP responses. Within the earlier installments of this sequence, we mentioned how different IIS malware households leverage these powers – for instance, to steal bank card data from e-commerce web site prospects (IIStealer), or to execute backdoor instructions on the compromised IIS server (IISpy).

Opposite to these households, IISerpent immediately impacts neither the compromised server nor the server’s customers – in actual fact, this malware utterly ignores all requests coming from respectable guests of the compromised web sites. The malware listens to and parses all HTTP requests despatched to the compromised server, solely to seek for these originating from particular search engine crawlers. As proven in Determine 1, IISerpent relays these requests to its C&C server (or makes use of its native configuration) to change the content material served to those crawlers.

Figure 1. IISerpent operating mechanism

Determine 1. IISerpent working mechanism

Web optimization fraud

What’s the objective of this scheme? Engines like google repeatedly crawl the web, after which index (file) all of the content material discovered on-line, constructing associations between search phrases and the content material and utilizing numerous algorithms to calculate rankings of the outcomes for explicit search phrases.

Varied respectable strategies can be utilized to extend web page rating in search engine outcome pages – shopping for ads or using SEO (Web optimization) methods – however not all digital entrepreneurs play by the foundations. The time period unethical Web optimization (traditionally often called black hat SEO) refers to Web optimization-boosting strategies (which, nevertheless, violate webmaster guidelines), equivalent to loading pages with irrelevant key phrases, or shopping for backlinks to extend a web site’s fame.

IISerpent’s assault sample makes use of a few of these unethical Web optimization strategies, and might be finest described as “Web optimization fraud as a service” – because it employs Web optimization fraud strategies on compromised IIS servers for the advantage of a 3rd social gathering with out webmaster consent. IISerpent’s operators use this malware to spice up web page rating for third-party web sites by leeching off the compromised web site’s rating and by using the next strategies:

  • Redirecting the various search engines to the actual web site chosen by the attacker, successfully making the compromised web site a doorway page
  • Injecting an inventory of backlinks (pre-configured or obtained from the C&C server on the fly) into the HTTP response for search engine crawlers, making the servers compromised by IISerpent one thing of a link farm

In an instance situation proven in Determine 2, an adversary compromises plenty of IIS servers with IISerpent, and makes use of its capabilities to inject backlinks to all web sites hosted by these servers. Web sites 1 – N are respectable, with good reputations; from the attitude of a search engine crawler, all of them hyperlink to a third-party web site of the attacker’s selection (on this case, a rip-off web site). Consequently, the rip-off web site could appear extra common – since it’s referenced by respected web sites – which can enhance its web page rating.

Figure 2. Example of an SEO fraud mechanism

Determine 2. Instance of an Web optimization fraud mechanism

Word that the respectable guests of the compromised server will nonetheless be served the anticipated content material, so the customers and the webmaster might miss out on that one thing is incorrect with the server. This units IISerpent aside from other malware families that inject synthetic backlinks into compromised websites – by working as a server extension, IISerpent can reserve these modifications for the search engine crawlers, with out interfering with content material served to plain guests (versus completely modifying the compromised web site by including the undesired backlinks for all its guests to see).

After all, the misused web sites hosted on the compromised IIS servers don’t profit in any respect on this scheme – quite the opposite, it’s towards the webmaster tips to idiot the search engine crawlers by displaying a unique model of the web site to them than the one proven to the common guests, and so these web sites may even find yourself penalized by the various search engines, decreasing their Web optimization statistics.

Technical evaluation

Below its pores and skin, IISerpent is a local IIS module – carried out as a C++ DLL and configured within the %windirpercentsystem32inetsrvconfigApplicationHost.config file. That method, IISerpent secures each persistence and execution, as all IIS modules are loaded by the IIS Employee Processes (w3wp.exe) and used to deal with inbound HTTP requests.

We don’t have any details about how IISerpent’s operators initially penetrate IIS servers, however we all know that administrative privileges are required to configure it as a local IIS module, which reduces the variety of believable eventualities. A configuration weak spot or vulnerability in an online software or the server are seemingly culprits.

As with all native IIS modules, IISerpent exports a perform referred to as RegisterModule (see Determine 3), which implements the module initialization. The core malicious performance is hidden in its occasion handlers – strategies of the module class (inherited from CHttpModule) which can be referred to as on sure server occasions. Extra particularly, IISerpent’s code class overrides its OnBeginRequest and OnSendResponse strategies, which implies that the malware’s handlers might be referred to as each time the IIS server begins processing a brand new inbound HTTP request, and each time it sends the response buffer.

Figure 3. IISerpent’s DLL exports

Determine 3. IISerpent’s DLL exports

IISerpent parses the incoming requests and makes use of its advanced configuration knowledge to control content material served to look engine crawlers. As Desk 1 lists in full, the configuration consists of fields equivalent to a redirect URL, or an inventory of backlinks to be injected. The attackers can show or replace the malware’s configuration by sending any HTTP request to the compromised IIS server with the question parameter ?DisplayModuleConfig=1 or ?ReloadModuleConfig=1, respectively, within the request URI.

Upon receiving the replace request, IISerpent obtains the configuration from the C&C server by sending an HTTP GET request to this URL:


The worth is taken from the unique attacker request, and it’s in all probability used as a sufferer ID. The libcurl library is used for the community communication.

Desk 1. Configuration fields utilized by IISerpent

Configuration subject Remark
banip Record of IP addresses. The malware ignores HTTP requests from these IP addresses.
redirectreferer Binary flag – set if the malware ought to deal with requests with the strings spider, bot or within the Referer header.
onlymobilespider Binary flag – set if the malware ought to solely deal with crawler requests with the strings Android or AppleWebKit within the Referer header.
redirect If these values are set, the malware will redirect all crawler requests to the configured URL by way of an HTTP 301 response.
proxy If these values are set, the malware will ahead the search engine crawler requests to its C&C server, and substitute the HTTP response with the obtained knowledge, as an alternative of redirecting the crawlers to a malicious URL immediately.
folderlink If these values are set, the malware will add all of them as backlinks to the response for any HTTP request with the strings spider or bot within the Person-Agent header.

IISerpent acknowledges search engine crawler requests by parsing the Person-Agent header and in search of particular substrings, as seen in Determine 4. If the redirecturl subject is configured, the malware redirects all requests with the strings spider or bot within the Person-Agent header to this URL by setting the Location header within the HTTP response. The HTTP standing is ready to 301 (“Moved Completely”).

Figure 4. IISerpent recognizes search engine crawler requests by parsing the User-Agent header

Determine 4. IISerpent acknowledges search engine crawler requests by parsing the Person-Agent header

If proxymode is ready, as an alternative of redirecting the crawlers to a malicious URL, IISerpent forwards the crawler request to its C&C server proxyurl, and replaces the HTTP response physique with the acquired knowledge. That is utilized to all of the HTTP requests with spider, bot or within the Referer header, or optionally to requests with the strings Android or AppleWebKit within the Referer header. Moreover, the malware will be configured to:

  • Solely deal with these HTTP requests the place the IIS server has set the response standing to 404
  • Ignore requests coming from a configurable listing of banned IP addresses

Lastly, IISerpent can have an inventory of hyperlinks configured and add these hyperlinks to the HTTP response physique for any search engine crawler requests. These hyperlinks are added as HTML entities to the prevailing HTTP response physique:


Different notable serpents

IISerpent is just not the one identified malicious IIS module with Web optimization fraud capabilities – out of the 14 malware households we analyzed for our paper Anatomy of native IIS malware, six have help for Web optimization fraud strategies. In these households, the Web optimization fraud performance is usually bundled with different malicious capabilities (equivalent to backdoor help, or serving malicious content material to respectable web site guests).

Whereas we first detected IISerpent in Might 2021, we had been capable of hint the Web optimization fraud phenomenon to the primary publicly identified case in 2019, when Secpulse revealed an incident report in Chinese language on unnamed malware affecting IIS servers. The evaluation of that malware and its Web optimization fraud capabilities is featured in our white paper below the Group 9 class.

The varied Web optimization fraud households that we analyzed differ within the unethical Web optimization strategies supported, and goal a variety of search engine crawlers – specified within the clear (Group 12 within the paper, as proven in Determine 5), as an encrypted listing (Group 9), or obtained on the fly by querying DNS TXT data of the C&C server hostname (Group 11). All these households are detected by ESET safety options as Win32/BadIIS.

Figure 5. Example of strings used to recognize search engine crawler requests by IIS malware

Determine 5. Instance of strings used to acknowledge search engine crawler requests by IIS malware

For an entire breakdown of those different IIS malware households, discuss with our white paper.


IISerpent is a malicious IIS module with uncommon targets and objective, designed to help in shady practices geared toward boosting the web page rank of third-party web sites. Although it doesn’t have an effect on respectable guests of the compromised server, it nonetheless nonetheless deserves consideration for distorting search outcomes, and its potential for monetization.

On high of hijacking the fame of the compromised web sites, IISerpent could be a trigger for complications for the digital entrepreneurs, as any web site collaborating in unethical Web optimization practices will be penalized by search engine algorithms. One of the best wager to stop a compromise by IISerpent (and different IIS malware) is conserving your IIS servers updated, and being cautious to not obtain IIS extensions from untrusted sources – be particularly conscious of modules promising too-good-to-be-true options equivalent to magically bettering Web optimization. For extra safety, think about using an online software firewall, and/or a safety answer in your IIS server.

Extra mitigation suggestions and Indicators of Compromise will be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: [email protected].

Indicators of Compromise (IoCs)

ESET detection names






Community indicators

URL question parameters


C&C server


MITRE ATT&CK strategies

Word: This desk was constructed utilizing version 9 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Useful resource Growth T1587.001 Develop Capabilities: Malware IISerpent is a custom-made malware household.
Execution T1569.002 System Companies: Service Execution IIS server (and by extension, IISerpent) persists as a Home windows service.
Persistence T1546 Occasion Triggered Execution IISerpent is loaded by the IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Command and Management T1071.001 Software Layer Protocol: Net Protocols Adversaries ship HTTP requests with particular question parameters to the compromised IIS server to regulate IISerpent.
Impression T1565.002 Knowledge Manipulation: Transmitted Knowledge Manipulation IISerpent modifies content material served by the compromised server to look engine crawlers.


Posted in SecurityTags:
Write a comment