IISerpent: Malware‑pushed Web optimization fraud as a service

The final in our collection on IIS threats introduces a malicious IIS extension used to govern web page rankings for third-party web sites

ESET researchers have found and analyzed a beforehand undocumented server-side trojan that manipulates search engine outcomes by hijacking the status of the web sites it compromises. We named the trojan IISerpent to focus on its two fundamental options: being carried out as a malicious extension for Web Data Companies (IIS) internet server, and utilizing shady methods to govern search engine outcome pages (SERPs). IISerpent’s operators use quite a lot of methods for SEO (Web optimization), in an try to enhance web page rating for third-party web sites – doubtless the paying prospects of those criminals.

This blogpost is the final installment in our collection the place ESET researchers put IIS internet server threats beneath the microscope – the earlier elements talk about IIS malware used for cybercrime and cyberespionage. For a complete information on how you can detect, analyze and take away IIS malware, seek advice from our white paper Anatomy of native IIS malware, the place IISerpent is featured as one of many studied households (Group 13).

Assault overview

IISerpent is carried out, and configured, as a malicious extension for IIS – Microsoft’s internet server software program. That permits the malware to intercept all HTTP requests made to the web sites hosted by the compromised server, but in addition to actively change the server’s HTTP responses. Within the earlier installments of this collection, we mentioned how different IIS malware households leverage these powers – for instance, to steal bank card info from e-commerce web site prospects (IIStealer), or to execute backdoor instructions on the compromised IIS server (IISpy).

Opposite to these households, IISerpent instantly impacts neither the compromised server nor the server’s customers – actually, this malware fully ignores all requests coming from respectable guests of the compromised web sites. The malware listens to and parses all HTTP requests despatched to the compromised server, solely to seek for these originating from particular search engine crawlers. As proven in Determine 1, IISerpent relays these requests to its C&C server (or makes use of its native configuration) to change the content material served to those crawlers.

Determine 1. IISerpent working mechanism

Web optimization fraud

What’s the function of this scheme? Engines like google frequently crawl the web, after which index (file) all of the content material discovered on-line, constructing associations between search phrases and the content material and utilizing varied algorithms to calculate rankings of the outcomes for specific search phrases.

Varied respectable methods can be utilized to extend web page rating in search engine outcome pages – shopping for commercials or using SEO (Web optimization) methods – however not all digital entrepreneurs play by the foundations. The time period unethical Web optimization (traditionally referred to as black hat Web optimization) refers to Web optimization-boosting methods (which, nevertheless, violate webmaster tips), resembling loading pages with irrelevant key phrases, or shopping for backlinks to extend an internet site’s status.

IISerpent’s assault sample makes use of a few of these unethical Web optimization methods, and could possibly be greatest described as “Web optimization fraud as a service” – because it employs Web optimization fraud methods on compromised IIS servers for the good thing about a 3rd get together with out webmaster consent. IISerpent’s operators use this malware to spice up web page rating for third-party web sites by leeching off the compromised web site’s rating and by using the next methods:

  • Redirecting the various search engines to the actual web site chosen by the attacker, successfully making the compromised web site a doorway web page
  • Injecting an inventory of backlinks (pre-configured or obtained from the C&C server on the fly) into the HTTP response for search engine crawlers, making the servers compromised by IISerpent one thing of a hyperlink farm

In an instance situation proven in Determine 2, an adversary compromises numerous IIS servers with IISerpent, and makes use of its capabilities to inject backlinks to all web sites hosted by these servers. Web sites 1 – N are respectable, with good reputations; from the angle of a search engine crawler, all of them hyperlink to a third-party web site of the attacker’s alternative (on this case, a rip-off web site). Consequently, the rip-off web site could appear extra standard – since it’s referenced by respected web sites – which can enhance its web page rating.

Figure 2. Example of an SEO fraud mechanism

Determine 2. Instance of an Web optimization fraud mechanism

Word that the respectable guests of the compromised server will nonetheless be served the anticipated content material, so the customers and the webmaster might fail to see that one thing is fallacious with the server. This units IISerpent other than different malware households that inject synthetic backlinks into compromised websites – by working as a server extension, IISerpent can reserve these modifications for the search engine crawlers, with out interfering with content material served to straightforward guests (versus completely modifying the compromised web site by including the undesired backlinks for all its guests to see).

In fact, the misused web sites hosted on the compromised IIS servers don’t profit in any respect on this scheme – quite the opposite, it’s towards the webmaster tips to idiot the search engine crawlers by displaying a unique model of the web site to them than the one proven to the common guests, and so these web sites might even find yourself penalized by the various search engines, reducing their Web optimization statistics.

Technical evaluation

Underneath its pores and skin, IISerpent is a local IIS module – carried out as a C++ DLL and configured within the %windirpercentsystem32inetsrvconfigApplicationHost.config file. That means, IISerpent secures each persistence and execution, as all IIS modules are loaded by the IIS Employee Processes (w3wp.exe) and used to deal with inbound HTTP requests.

We don’t have any details about how IISerpent’s operators initially penetrate IIS servers, however we all know that administrative privileges are required to configure it as a local IIS module, which reduces the variety of believable situations. A configuration weak spot or vulnerability in an online software or the server are doubtless culprits.

As with all native IIS modules, IISerpent exports a operate referred to as RegisterModule (see Determine 3), which implements the module initialization. The core malicious performance is hidden in its occasion handlers – strategies of the module class (inherited from CHttpModule) which can be referred to as on sure server occasions. Extra particularly, IISerpent’s code class overrides its OnBeginRequest and OnSendResponse strategies, which implies that the malware’s handlers can be referred to as each time the IIS server begins processing a brand new inbound HTTP request, and each time it sends the response buffer.

Figure 3. IISerpent’s DLL exports

Determine 3. IISerpent’s DLL exports

IISerpent parses the incoming requests and makes use of its advanced configuration knowledge to govern content material served to go looking engine crawlers. As Desk 1 lists in full, the configuration consists of fields resembling a redirect URL, or an inventory of backlinks to be injected. The attackers can show or replace the malware’s configuration by sending any HTTP request to the compromised IIS server with the question parameter ?DisplayModuleConfig=1 or ?ReloadModuleConfig=1, respectively, within the request URI.

Upon receiving the replace request, IISerpent obtains the configuration from the C&C server by sending an HTTP GET request to this URL:


The worth <host> is taken from the unique attacker request, and it’s most likely used as a sufferer ID. The libcurl library is used for the community communication.

Desk 1. Configuration fields utilized by IISerpent

Configuration area Remark
banip Record of IP addresses. The malware ignores HTTP requests from these IP addresses.
redirectreferer Binary flag – set if the malware ought to deal with requests with the strings spider, bot or baidu.com/ within the Referer header.
onlymobilespider Binary flag – set if the malware ought to solely deal with crawler requests with the strings Android or AppleWebKit within the Referer header.
redirect If these values are set, the malware will redirect all crawler requests to the configured URL by way of an HTTP 301 response.
proxy If these values are set, the malware will ahead the search engine crawler requests to its C&C server, and substitute the HTTP response with the obtained knowledge, as a substitute of redirecting the crawlers to a malicious URL instantly.
folderlink If these values are set, the malware will add all of them as backlinks to the response for any HTTP request with the strings spider or bot within the Consumer-Agent header.

IISerpent acknowledges search engine crawler requests by parsing the Consumer-Agent header and in search of particular substrings, as seen in Determine 4. If the redirecturl area is configured, the malware redirects all requests with the strings spider or bot within the Consumer-Agent header to this URL by setting the Location header within the HTTP response. The HTTP standing is about to 301 (“Moved Completely”).

Figure 4. IISerpent recognizes search engine crawler requests by parsing the User-Agent header

Determine 4. IISerpent acknowledges search engine crawler requests by parsing the Consumer-Agent header

If proxymode is about, as a substitute of redirecting the crawlers to a malicious URL, IISerpent forwards the crawler request to its C&C server proxyurl, and replaces the HTTP response physique with the acquired knowledge. That is utilized to all of the HTTP requests with spider, bot or baidu.com/ within the Referer header, or optionally to requests with the strings Android or AppleWebKit within the Referer header. Moreover, the malware could be configured to:

  • Solely deal with these HTTP requests the place the IIS server has set the response standing to 404
  • Ignore requests coming from a configurable checklist of banned IP addresses

Lastly, IISerpent can have an inventory of hyperlinks configured and add these hyperlinks to the HTTP response physique for any search engine crawler requests. These hyperlinks are added as HTML entities to the present HTTP response physique:

<a href=’/<hyperlink><timestamp1>_<timestamp2>_<randomId>.html’></a>

Different notable serpents

IISerpent will not be the one recognized malicious IIS module with Web optimization fraud capabilities – out of the 14 malware households we analyzed for our paper Anatomy of native IIS malware, six have help for Web optimization fraud methods. In these households, the Web optimization fraud performance is commonly bundled with different malicious capabilities (resembling backdoor help, or serving malicious content material to respectable web site guests).

Whereas we first detected IISerpent in Could 2021, we had been in a position to hint the Web optimization fraud phenomenon to the primary publicly recognized case in 2019, when Secpulse revealed an incident report in Chinese language on unnamed malware affecting IIS servers. The evaluation of that malware and its Web optimization fraud capabilities is featured in our white paper beneath the Group 9 class.

The assorted Web optimization fraud households that we analyzed differ within the unethical Web optimization methods supported, and goal a variety of search engine crawlers – specified within the clear (Group 12 within the paper, as proven in Determine 5), as an encrypted checklist (Group 9), or obtained on the fly by querying DNS TXT information of the C&C server hostname (Group 11). All these households are detected by ESET safety options as Win32/BadIIS.

Figure 5. Example of strings used to recognize search engine crawler requests by IIS malware

Determine 5. Instance of strings used to acknowledge search engine crawler requests by IIS malware

For a whole breakdown of those different IIS malware households, seek advice from our white paper.


IISerpent is a malicious IIS module with uncommon targets and function, designed to assist in shady practices geared toward boosting the web page rank of third-party web sites. Despite the fact that it doesn’t have an effect on respectable guests of the compromised server, it however nonetheless deserves consideration for distorting search outcomes, and its potential for monetization.

On high of hijacking the status of the compromised web sites, IISerpent is usually a trigger for complications for the digital entrepreneurs, as any web site collaborating in unethical Web optimization practices could be penalized by search engine algorithms. The most effective wager to stop a compromise by IISerpent (and different IIS malware) is retaining your IIS servers updated, and being cautious to not obtain IIS extensions from untrusted sources – be particularly conscious of modules promising too-good-to-be-true options resembling magically enhancing Web optimization. For added safety, think about using an online software firewall, and/or a safety answer in your IIS server.

Extra mitigation suggestions and Indicators of Compromise could be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: [email protected].

Indicators of Compromise (IoCs)

ESET detection names






Community indicators

URL question parameters


C&C server


MITRE ATT&CK methods

Word: This desk was constructed utilizing model 9 of the MITRE ATT&CK framework.

Tactic ID Title Description
Useful resource Growth T1587.001 Develop Capabilities: Malware IISerpent is a custom-made malware household.
Execution T1569.002 System Companies: Service Execution IIS server (and by extension, IISerpent) persists as a Home windows service.
Persistence T1546 Occasion Triggered Execution IISerpent is loaded by the IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Command and Management T1071.001 Utility Layer Protocol: Internet Protocols Adversaries ship HTTP requests with particular question parameters to the compromised IIS server to manage IISerpent.
Affect T1565.002 Knowledge Manipulation: Transmitted Knowledge Manipulation IISerpent modifies content material served by the compromised server to go looking engine crawlers.


Leave A Reply

Your email address will not be published.