Researchers Unearth Windows Backdoor That's Unusually Stealthy (arstechnica.com) 33
Researchers have discovered a clever piece of malware that stealthily exfiltrates data and executes malicious code from Windows systems by abusing a feature in Microsoft Internet Information Services (IIS). From a report: IIS is a general-purpose web server that runs on Windows devices. As a web server, it accepts requests from remote clients and returns the appropriate response. In July 2021, network intelligence company Netcraft said there were 51.6 million instances of IIS spread across 13.5 million unique domains. IIS offers a feature called Failed Request Event Buffering that collects metrics and other data about web requests received from remote clients. Client IP addresses and port and HTTP headers with cookies are two examples of the data that can be collected. FREB helps administrators troubleshoot failed web requests by retrieving ones meeting certain criteria from a buffer and writing them to disk. The mechanism can help determine the cause of 401 or 404 errors or isolate the cause of stalled or aborted requests.
Criminal hackers have figured out how to abuse this FREB feature to smuggle and execute malicious code into protected regions of an already compromised network. The hackers can also use FREB to exfiltrate data from the same protected regions. Because the technique blends in with legitimate eeb requests, it provides a stealthy way to further burrow into the compromised network. The post-exploit malware that makes this possible has been dubbed Frebniis by researchers from Symantec, who reported on its use on Thursday. Frebniis first ensures FREB is enabled and then hijacks its execution by injecting malicious code into the IIS process memory and causing it to run. Once the code is in place, Frebniis can inspect all HTTP requests received by the IIS server.
Criminal hackers have figured out how to abuse this FREB feature to smuggle and execute malicious code into protected regions of an already compromised network. The hackers can also use FREB to exfiltrate data from the same protected regions. Because the technique blends in with legitimate eeb requests, it provides a stealthy way to further burrow into the compromised network. The post-exploit malware that makes this possible has been dubbed Frebniis by researchers from Symantec, who reported on its use on Thursday. Frebniis first ensures FREB is enabled and then hijacks its execution by injecting malicious code into the IIS process memory and causing it to run. Once the code is in place, Frebniis can inspect all HTTP requests received by the IIS server.
it is microsoft's fault (Score:2)
Re: (Score:3)
Well, I agree that they are not even trying to make a good product. But I think they could not if their lives depended on it. Remember their continued failure to produce their own filesystem? NTFS is still based on what they bought way back and it has whacky limitations and problems. In the same time, the Linux community created several, all working fine.
Re: (Score:3)
Microsoft should just give up and adopt OpenZFS. It's the business.
I am now using a manually installed Debian Bullseye (11) on ZFS with native encryption, the very latest nvidia drivers, Plasma, a recent pipewire... and sysvinit. And due to some systemd weird bullshit with bridge interfaces on the old system, and also not needing LUKS for key storage, my boot time is actually shorter than it was on Ubuntu with systemd.
Re: (Score:3)
I'd probably assert that NTFS is one of the better things Microsoft has, just because it has been hammered on for so long. It is reliable, even in disk full environments or when RAM is an issue, has compression, has file encryption (although EFS should be killed with fire in any type of enterprise setting), and works.
I would agree that MS should license ZFS from Oracle. RAID in Windows is a very nasty, ugly thing. Either one uses the old RAID software, which don't allow things like BitLocker to work, one
The old joke on Slashdot used to be (Score:1)
Windows has more gaping security holes than goatse (if you're lucky enough to not know what I'm referring to, Wikipedia [wikipedia.org] has the most SFW description).
If there's three things in life you can always count on, they're: death, taxes, and security flaws in Microsoft products.
Why are we using 3rd rated software? (Score:2)
In critical places? MS software is bloated, slow, unreliable, hard to use and insecure. It wastes more human hours than anything else. It still has not reached a stable state, likely because MS wants to keep things unfinished and ever-changing.
Why are we using this crap?
Re: (Score:2)
- nobody ever got fired for buying from MS (at least not in the public knowledge). There is thus some sort of precedent that MS is "right". - the bean counters have grown up using MS's products and don't know anything else. They will therefore not approve the purchase of anything else.
- unbelievable discounts when someone tries choosing something else. Rumour had it, many years ago, that when Munich (or was it Hamburg? Either way, both are in Germany) decide
Re: (Score:2)
The problem is this stuff gets more and more expensive and control is slipping. I mean I have now tell people that there is no reliable way to secure an MS infrastructure. If this was a 2 years old newcomer that may be acceptable, but MS has been in this game far too long.
Re: (Score:2)
Yep, Windows is the worst OS one could possibly imagine...except for all the others!
Re: (Score:2)
Have you used MS office recently? Their stuff is now so dysfunctional that you need hours more to get inferior results.
Re: (Score:2)
I use MS Office daily, and I have no idea what you are talking about. Can you be more specific? What kind of inferior results? Does OpenOffice / LibreOffice calculate things differently? I've also spent a lot of time on those applications, and IMO you get what you pay for. Yeah, they can do spreadsheets and docs, but they are quite clunky, and if you get any deeper than the kinds of things you do in email (think tables, drawing objects, charts & graphs, mail merge, pivot tables, multi-user shared docume
Re: (Score:2)
Well, where to start? Ever spell-checked headlines? Ever wrote a document not in English? Ever tried to get tracked changes in Power-Point? And do not even get me started about the "ribbon". And there is a lot more. There is a massive lot of really stupid design, bad decisions, lack of insight and general incompetence in these products. I guess some people find these things right on their level though and are comfortable.
Re: (Score:2)
I'm with you on the ribbon! The rest of that stuff, I don't really care. I guess it really depends on how you want to use the software, every one has its strengths and weaknesses.
Re: (Score:2)
> Why are we using this crap?
Momentum.
Remember the old adage "No one got fired for buying IBM"? Today it is: "No one got fired for buying Microsoft.".
If businesses had the balls to set a date to switch to OpenOffice they could make a dent in MS's monopoly. But they won't because no one wants to go "first". MS knows this and continues to hold people's data hostage. Ditto for Adobe (although people ARE waking up to Affinity Photo as a replacement.)
Microsoft also "ramming" Windows 10 and Windows 11 auto
Re: (Score:2)
True, unfortunately. The cost of this is steadily raising though. Bad infrastructure (and that is what this is essentially today) will eventually come back to be a huge cost, probably erasing and exclimping all savings made before.
They want a single vendor that they can blame with the "illusion" that they will be responsible.
Yep. Like MS was ever taken to task for all their crap. They can have an update process that _still_ does not work with any reasonable reliability. They can even do blatantly illegal stuff (GDPR in the EU with telemetry that cannot be turned off and the default is "on") and get ha
Dichotomy of Man (Score:3)
Re: (Score:1)
Yet out in the wild, all of you nerds are happy to install Windows for the right price.
Principles are a good thing to have but they don't pay the rent.
Re: (Score:2)
Re: (Score:3)
I'm a huge fan of Linux, have a few boxes at home and am administering half a dozen at work. But your post demonstrates total ignorance of the cost of business. Providing your workers with a familiar environment that they are comfortable using without training is worth the cost of software licenses 50 times over. Plus the Windows license is baked into the cost of a new PC purchase from any major supplier, so it's not like you can avoid paying that cost anyway.
Re: (Score:2)
> familiar environment that they are comfortable using without training is worth the cost of software
> licenses 50 times over.
I'm certain Ernie Ball of Ernie Ball Guitar Strings would have agreed with you. However, after the Business Software Alliance raided [slashdot.org] his business in 2000 and fined him for not having enough windows licenses, he switched over to linux. 10 years [google.com] later in 2010 he said "I
Re: (Score:1)
As a share holder in MSFT, for the average user there is very little that is foreign swicthing between Linux and Windows, the switch to Apple is far greater as the keyborad configuration is significantly different but on all platforms if you want to use the internet you click on the chrome icon.
Re: (Score:2)
If paying the rent is a current worry, which are you going to install
What they pay me to install.
At home I no longer run Windows on the metal anywhere, and I only have to use it at all because of stupid protection schemes in software. Wine (or Proton) covers all my other use cases now.
_NSAKEY (Score:2)
anyone remember that?
Re: (Score:2)
Still Lots of Unanswered Questions (Score:4, Interesting)
Re: (Score:2)
hooking (Score:5)
Um, you guys do know that this article is describing *another program* which is hooking into IIS, and not an actual remote execution vulnerability of IIS itself, right?
The goofy shiny clown says (Score:2)
"Mere end users like you can't touch the internals of the system. Here is a happy shiny puppy to hop around your screen instead!"
Well expect this in Windows 12.
Windows runs IIS automatically? (Score:3)
My opinion (Score:1)