Internet Information Services (IIS) is a Microsoft web server software for Windows with an extensible, modular architecture, allowing developers to replace or extend core IIS functionality. This session looks at how the same extensibility is misused by malicious threat actors to intercept or modify network traffic flowing through the IIS servers. These powers allow IIS malware to perform many stunts – from cybercrime to cyberespionage and curious SEO fraud schemes – and we will explain how to combat all of them through understanding the design of this server-side class of threats. We will walk the audience through the essentials of reverse-engineering native IIS malware, supported by our analysis of 80+ unique samples of 14 IIS malware families. We will share the results of our internet-wide scans, which allowed us to identify and notify victims of this malware. Finally, we will provide practical steps that defenders can take to identify and remediate a successful compromise.
