IISerpent Trojan

IISerpent Trojan is a peculiar malware threat that targets Microsoft's Internet Information Services Web server software. The threat is injected into an IIS installation as a corrupted extension. Unlike other ISS malware threats, the goal of IISerpent is not to collect sensitive information (credit/debit card numbers) or execute backdoor commands on the compromised systems. IISerpent's functionality can be best described as an SEO (Search Engine Optimization) fraud offered as a service. The threat employs unethical SEO techniques, a behavior known as Black Hat SEO, and attempts to boost the rankings of third-party pages, most likely belonging to the clients paying for the hackers' services.

Technical Details

IISerpent is a native IIS module. It is implemented as a C++ DLL and added to the %windir%\system32\inetsrv\config\ApplicationHost.config file. Doing so ensures both its execution and persistence on the infected system. Once fully established, the malware will begin to intercept all incoming HTTP requests to websites hosted on the server. However, IISerpent will not affect the compromised server or the server’s users directly. The malware will ignore any requests coming from legitimate visitors completely. It is only interested in requests associated with search engine crawlers and then shows them different content them what is on the actual page. The new content is fetched from either the C&C (Command-and-Control) server of the operation or a local configuration file.

Employed SEO Techniques

Search engine crawlers are responsible for scouring the Internet and analyzing the content on the pages they find. The content scanned by these bots is run through a complex algorithm that determines the rankings of each page related to particular search terms. Boosting your page's rank means an increase in visibility and potential traffic.

To achieve this goal, some page operators are willing to employ shady SEO tactics. IISerpent relies on exactly such techniques to improve the rankings of third-party websites by exploiting the rankings on the websites on the compromised server. More specifically, IISerepent uses two core methods:

1. It redirects the search engines to a specifically chosen website, turning it into a doorway page.
2. It injects a list of preconfigured backlinks into the HTTP response that is delivered to the search engine crawlers. This method effectively turns the servers compromised by the threat into link farms.

Consequences of IISerpent Infection

While it is true that IISerpent's actions don't affect the legitimate visitors to the sites in any way, its presence shouldn't be taken lightly. The threat hijacks the reputation of the compromised websites and employs unethical SEO practices to trick search engine crawlers. Both activities will be noticed by the engines, eventually, and can lead to the involved websites getting penalized, without them being willing participants in the scheme. Afterward, clearing up their reputations and removing the penalties could be a costly and extremely time-consuming process. To avoid such unpleasant outcomes, keep your IIS servers up-to-date, do not download extensions from unproven sources, and consider adding a firewall application or a security solution on the server.