Researchers Unearth Windows Backdoor That's Unusually Stealthy

Researchers have discovered a clever piece of malware that stealthily exfiltrates data and executes malicious code from Windows systems by abusing a feature in Microsoft Internet Information Services (IIS). From a report: IIS is a general-purpose web server that runs on Windows devices. As a web server, it accepts requests from remote clients and returns the appropriate response. In July 2021, network intelligence company Netcraft said there were 51.6 million instances of IIS spread across 13.5 million unique domains. IIS offers a feature called Failed Request Event Buffering that collects metrics and other data about web requests received from remote clients. Client IP addresses and port and HTTP headers with cookies are two examples of the data that can be collected. FREB helps administrators troubleshoot failed web requests by retrieving ones meeting certain criteria from a buffer and writing them to disk. The mechanism can help determine the cause of 401 or 404 errors or isolate the cause of stalled or aborted requests.

Criminal hackers have figured out how to abuse this FREB feature to smuggle and execute malicious code into protected regions of an already compromised network. The hackers can also use FREB to exfiltrate data from the same protected regions. Because the technique blends in with legitimate eeb requests, it provides a stealthy way to further burrow into the compromised network. The post-exploit malware that makes this possible has been dubbed Frebniis by researchers from Symantec, who reported on its use on Thursday. Frebniis first ensures FREB is enabled and then hijacks its execution by injecting malicious code into the IIS process memory and causing it to run. Once the code is in place, Frebniis can inspect all HTTP requests received by the IIS server.

it is microsoft's fault

[FudRucker]

as much money & resources microsoft has they should be able to build a good and secure operating system, but that is not in their best interest, they need the OS to be easily broken into by both good guys and bad guys that way they can sell you another operating system in the future

Re:

[gweihir]

Well, I agree that they are not even trying to make a good product. But I think they could not if their lives depended on it. Remember their continued failure to produce their own filesystem? NTFS is still based on what they bought way back and it has whacky limitations and problems. In the same time, the Linux community created several, all working fine.

Re:

[drinkypoo]

Microsoft should just give up and adopt OpenZFS. It's the business.

I am now using a manually installed Debian Bullseye (11) on ZFS with native encryption, the very latest nvidia drivers, Plasma, a recent pipewire... and sysvinit. And due to some systemd weird bullshit with bridge interfaces on the old system, and also not needing LUKS for key storage, my boot time is actually shorter than it was on Ubuntu with systemd.

Re:

[ctilsie242]

I'd probably assert that NTFS is one of the better things Microsoft has, just because it has been hammered on for so long. It is reliable, even in disk full environments or when RAM is an issue, has compression, has file encryption (although EFS should be killed with fire in any type of enterprise setting), and works.

I would agree that MS should license ZFS from Oracle. RAID in Windows is a very nasty, ugly thing. Either one uses the old RAID software, which don't allow things like BitLocker to work, one

The old joke on Slashdot used to be

[Powercntrl]

Windows has more gaping security holes than goatse (if you're lucky enough to not know what I'm referring to, Wikipedia [wikipedia.org] has the most SFW description).

If there's three things in life you can always count on, they're: death, taxes, and security flaws in Microsoft products.

Why are we using 3rd rated software?

[gweihir]

In critical places? MS software is bloated, slow, unreliable, hard to use and insecure. It wastes more human hours than anything else. It still has not reached a stable state, likely because MS wants to keep things unfinished and ever-changing.

Why are we using this crap?

Re:

[uffe_nordholm]

For a variety of reasons, including eg these:

- nobody ever got fired for buying from MS (at least not in the public knowledge). There is thus some sort of precedent that MS is "right". - the bean counters have grown up using MS's products and don't know anything else. They will therefore not approve the purchase of anything else.
- unbelievable discounts when someone tries choosing something else. Rumour had it, many years ago, that when Munich (or was it Hamburg? Either way, both are in Germany) decide

Re:

[gweihir]

The problem is this stuff gets more and more expensive and control is slipping. I mean I have now tell people that there is no reliable way to secure an MS infrastructure. If this was a 2 years old newcomer that may be acceptable, but MS has been in this game far too long.

Re:

[Tony Isaac]

Yep, Windows is the worst OS one could possibly imagine...except for all the others!

Re:

[gweihir]

Have you used MS office recently? Their stuff is now so dysfunctional that you need hours more to get inferior results.

Re:

[Tony Isaac]

I use MS Office daily, and I have no idea what you are talking about. Can you be more specific? What kind of inferior results? Does OpenOffice / LibreOffice calculate things differently? I've also spent a lot of time on those applications, and IMO you get what you pay for. Yeah, they can do spreadsheets and docs, but they are quite clunky, and if you get any deeper than the kinds of things you do in email (think tables, drawing objects, charts & graphs, mail merge, pivot tables, multi-user shared docume

Re:

[gweihir]

Well, where to start? Ever spell-checked headlines? Ever wrote a document not in English? Ever tried to get tracked changes in Power-Point? And do not even get me started about the "ribbon". And there is a lot more. There is a massive lot of really stupid design, bad decisions, lack of insight and general incompetence in these products. I guess some people find these things right on their level though and are comfortable.

Re:

[Tony Isaac]

I'm with you on the ribbon! The rest of that stuff, I don't really care. I guess it really depends on how you want to use the software, every one has its strengths and weaknesses.

Re:

[UnknownSoldier]

> Why are we using this crap?

Momentum.

Remember the old adage "No one got fired for buying IBM"? Today it is: "No one got fired for buying Microsoft.".

If businesses had the balls to set a date to switch to OpenOffice they could make a dent in MS's monopoly. But they won't because no one wants to go "first". MS knows this and continues to hold people's data hostage. Ditto for Adobe (although people ARE waking up to Affinity Photo as a replacement.)

Microsoft also "ramming" Windows 10 and Windows 11 auto

Re:

[gweihir]

True, unfortunately. The cost of this is steadily raising though. Bad infrastructure (and that is what this is essentially today) will eventually come back to be a huge cost, probably erasing and exclimping all savings made before.

They want a single vendor that they can blame with the "illusion" that they will be responsible.

Yep. Like MS was ever taken to task for all their crap. They can have an update process that _still_ does not work with any reasonable reliability. They can even do blatantly illegal stuff (GDPR in the EU with telemetry that cannot be turned off and the default is "on") and get ha

Dichotomy of Man

[muh_freeze_peach]

Here on slashdot, nerd rage against Windows swells the waters into a frothing chaos. Yet out in the wild, all of you nerds are happy to install Windows for the right price.

Re:

[Powercntrl]

Yet out in the wild, all of you nerds are happy to install Windows for the right price.

Principles are a good thing to have but they don't pay the rent.

Re:

[techno-vampire]

If paying the rent is a current worry, which are you going to install: commercial software that not only costs money now, but will cost more in the long-term for upgrades and/or support, or FOSS software that's free (as in beer) for installation, upgrades and support? I wouldn't be a bit surprised to learn that more and more startups and small businesses are going with Linux just to save money.

Re:

[thegreatemu]

I'm a huge fan of Linux, have a few boxes at home and am administering half a dozen at work. But your post demonstrates total ignorance of the cost of business. Providing your workers with a familiar environment that they are comfortable using without training is worth the cost of software licenses 50 times over. Plus the Windows license is baked into the cost of a new PC purchase from any major supplier, so it's not like you can avoid paying that cost anyway.

Re:

[Gruntbeetle]

> But your post demonstrates total ignorance of the cost of business. Providing your workers with a
> familiar environment that they are comfortable using without training is worth the cost of software
> licenses 50 times over.

I'm certain Ernie Ball of Ernie Ball Guitar Strings would have agreed with you. However, after the Business Software Alliance raided [slashdot.org] his business in 2000 and fined him for not having enough windows licenses, he switched over to linux. 10 years [google.com] later in 2010 he said "I

Re:

[BrookSmith]

As a share holder in MSFT, for the average user there is very little that is foreign swicthing between Linux and Windows, the switch to Apple is far greater as the keyborad configuration is significantly different but on all platforms if you want to use the internet you click on the chrome icon.

Re:

[drinkypoo]

If paying the rent is a current worry, which are you going to install

What they pay me to install.

At home I no longer run Windows on the metal anywhere, and I only have to use it at all because of stupid protection schemes in software. Wine (or Proton) covers all my other use cases now.

_NSAKEY

[backslashdot]

anyone remember that?

Re:

[Errol backfiring]

I had to look it up. See this wikipedia article [wikipedia.org].

Still Lots of Unanswered Questions

[organgtool]

From what I can tell, Failed Requests Event Buffering is turned off by default. Can the Frebniis exploit enable FREB in IIS if that feature is currently disabled? I know that sounds unlikely, but researchers don't seem to be sure how the payload is delivered, so it could use a different initial attack vector. If it is possible for the exploit to enable it, would that be evident in the IIS config or can the exploit mask the status of the feature? Can FREB be enabled programmatically by a .NET application? Is there any legitimate reason this would be enabled on a production system? If FREB is enabled, what is the likelihood of breaking a hosted web app by disabling it?

Re:

[techno-vampire]

I haven't used any version of Windows in almost 20 years, so I have to ask: is IIS part of every new installation by default, and if 7so, does FREB get enabled when you install Windows? And, if so why? I'm sure Microsoft has easier, safer ways than this to snoop on your computer.

hooking

[Dwedit]

Um, you guys do know that this article is describing *another program* which is hooking into IIS, and not an actual remote execution vulnerability of IIS itself, right?

The goofy shiny clown says

[Malays2 bowman]

"Mere end users like you can't touch the internals of the system. Here is a happy shiny puppy to hop around your screen instead!"

Well expect this in Windows 12.

Windows runs IIS automatically?

[kmoser]

Not clear from the article whether IIS runs by default on *all* Windows installations, or only if specifically installed by the user. Back in the day, IIS was a separate program that you had to install, and it was only used as a web server. Has that changed?

My opinion

[Arborl]

I don't know if the problem is with people who don't want to protect themselves properly or with Microsoft for leaving such a hole in the system. I touched upon such topics for myself in my last essay when I was a student. Then I didn't have time for a second paper and I buy essays for college at https://edusson.com/buy-college-essays-online [edusson.com] also on cybersecurity. But these are old papers that would not have passed the time limit and all those mistakes were closed or redone. So that and that in a short time