IISerpent: Malware‑pushed Web optimization fraud as a service

IISerpent: Malware‑driven SEO fraud as a service

The final in our collection on IIS threats introduces a malicious IIS extension used to control web page rankings for third-party web sites

ESET researchers have found and analyzed a beforehand undocumented server-side trojan that manipulates search engine outcomes by hijacking the popularity of the web sites it compromises. We named the trojan IISerpent to spotlight its two principal options: being applied as a malicious extension for Web Info Providers (IIS) net server, and utilizing shady methods to control search engine end result pages (SERPs). IISerpent’s operators use a wide range of methods for search engine marketing (Web optimization), in an try to enhance web page rating for third-party web sites – seemingly the paying clients of those criminals.

This blogpost is the final installment in our collection the place ESET researchers put IIS net server threats beneath the microscope – the earlier components talk about IIS malware used for cybercrime and cyberespionage. For a complete information on easy methods to detect, analyze and take away IIS malware, discuss with our white paper Anatomy of native IIS malware, the place IISerpent is featured as one of many studied households (Group 13).

Assault overview

IISerpent is applied, and configured, as a malicious extension for IIS – Microsoft’s net server software program. That enables the malware to intercept all HTTP requests made to the web sites hosted by the compromised server, but additionally to actively change the server’s HTTP responses. Within the earlier installments of this collection, we mentioned how different IIS malware households leverage these powers – for instance, to steal bank card info from e-commerce web site clients (IIStealer), or to execute backdoor instructions on the compromised IIS server (IISpy).

Opposite to these households, IISerpent immediately impacts neither the compromised server nor the server’s customers – in reality, this malware fully ignores all requests coming from official guests of the compromised web sites. The malware listens to and parses all HTTP requests despatched to the compromised server, solely to seek for these originating from particular search engine crawlers. As proven in Determine 1, IISerpent relays these requests to its C&C server (or makes use of its native configuration) to change the content material served to those crawlers.

Determine 1. IISerpent working mechanism

Web optimization fraud

What’s the goal of this scheme? Serps often crawl the web, after which index (document) all of the content material discovered on-line, constructing associations between search phrases and the content material and utilizing numerous algorithms to calculate rankings of the outcomes for specific search phrases.

Numerous official methods can be utilized to extend web page rating in search engine end result pages – shopping for ads or using search engine marketing (Web optimization) methods – however not all digital entrepreneurs play by the principles. The time period unethical Web optimization (traditionally referred to as black hat Web optimization) refers to Web optimization-boosting methods (which, nonetheless, violate webmaster tips), similar to loading pages with irrelevant key phrases, or shopping for backlinks to extend an internet site’s popularity.

IISerpent’s assault sample makes use of a few of these unethical Web optimization methods, and might be finest described as “Web optimization fraud as a service” – because it employs Web optimization fraud methods on compromised IIS servers for the advantage of a 3rd occasion with out webmaster consent. IISerpent’s operators use this malware to spice up web page rating for third-party web sites by leeching off the compromised web site’s rating and by using the next methods:

  • Redirecting the major search engines to the actual web site chosen by the attacker, successfully making the compromised web site a doorway web page
  • Injecting a listing of backlinks (pre-configured or obtained from the C&C server on the fly) into the HTTP response for search engine crawlers, making the servers compromised by IISerpent one thing of a hyperlink farm

In an instance situation proven in Determine 2, an adversary compromises quite a lot of IIS servers with IISerpent, and makes use of its capabilities to inject backlinks to all web sites hosted by these servers. Web sites 1 – N are official, with good reputations; from the angle of a search engine crawler, all of them hyperlink to a third-party web site of the attacker’s alternative (on this case, a rip-off web site). Because of this, the rip-off web site could appear extra standard – since it’s referenced by respected web sites – which can enhance its web page rating.

Figure 2. Example of an SEO fraud mechanism

Determine 2. Instance of an Web optimization fraud mechanism

Word that the official guests of the compromised server will nonetheless be served the anticipated content material, so the customers and the webmaster might miss out on that one thing is improper with the server. This units IISerpent other than different malware households that inject synthetic backlinks into compromised websites – by working as a server extension, IISerpent can reserve these modifications for the search engine crawlers, with out interfering with content material served to plain guests (versus completely modifying the compromised web site by including the undesired backlinks for all its guests to see).

In fact, the misused web sites hosted on the compromised IIS servers don’t profit in any respect on this scheme – quite the opposite, it’s towards the webmaster tips to idiot the search engine crawlers by displaying a distinct model of the web site to them than the one proven to the common guests, and so these web sites may even find yourself penalized by the major search engines, reducing their Web optimization statistics.

Technical evaluation

Beneath its pores and skin, IISerpent is a local IIS module – applied as a C++ DLL and configured within the %windirpercentsystem32inetsrvconfigApplicationHost.config file. That approach, IISerpent secures each persistence and execution, as all IIS modules are loaded by the IIS Employee Processes (w3wp.exe) and used to deal with inbound HTTP requests.

We don’t have any details about how IISerpent’s operators initially penetrate IIS servers, however we all know that administrative privileges are required to configure it as a local IIS module, which reduces the variety of believable situations. A configuration weak spot or vulnerability in an internet software or the server are seemingly culprits.

As with all native IIS modules, IISerpent exports a operate known as RegisterModule (see Determine 3), which implements the module initialization. The core malicious performance is hidden in its occasion handlers – strategies of the module class (inherited from CHttpModule) which are known as on sure server occasions. Extra particularly, IISerpent’s code class overrides its OnBeginRequest and OnSendResponse strategies, which implies that the malware’s handlers will likely be known as each time the IIS server begins processing a brand new inbound HTTP request, and each time it sends the response buffer.

Figure 3. IISerpent’s DLL exports

Determine 3. IISerpent’s DLL exports

IISerpent parses the incoming requests and makes use of its advanced configuration knowledge to control content material served to go looking engine crawlers. As Desk 1 lists in full, the configuration consists of fields similar to a redirect URL, or a listing of backlinks to be injected. The attackers can show or replace the malware’s configuration by sending any HTTP request to the compromised IIS server with the question parameter ?DisplayModuleConfig=1 or ?ReloadModuleConfig=1, respectively, within the request URI.

Upon receiving the replace request, IISerpent obtains the configuration from the C&C server by sending an HTTP GET request to this URL:


The worth <host> is taken from the unique attacker request, and it’s in all probability used as a sufferer ID. The libcurl library is used for the community communication.

Desk 1. Configuration fields utilized by IISerpent

Configuration discipline Remark
banip Record of IP addresses. The malware ignores HTTP requests from these IP addresses.
redirectreferer Binary flag – set if the malware ought to deal with requests with the strings spider, bot or baidu.com/ within the Referer header.
onlymobilespider Binary flag – set if the malware ought to solely deal with crawler requests with the strings Android or AppleWebKit within the Referer header.
redirect If these values are set, the malware will redirect all crawler requests to the configured URL through an HTTP 301 response.
proxy If these values are set, the malware will ahead the search engine crawler requests to its C&C server, and substitute the HTTP response with the obtained knowledge, as a substitute of redirecting the crawlers to a malicious URL immediately.
folderlink If these values are set, the malware will add all of them as backlinks to the response for any HTTP request with the strings spider or bot within the Consumer-Agent header.

IISerpent acknowledges search engine crawler requests by parsing the Consumer-Agent header and searching for particular substrings, as seen in Determine 4. If the redirecturl discipline is configured, the malware redirects all requests with the strings spider or bot within the Consumer-Agent header to this URL by setting the Location header within the HTTP response. The HTTP standing is ready to 301 (“Moved Completely”).

Figure 4. IISerpent recognizes search engine crawler requests by parsing the User-Agent header

Determine 4. IISerpent acknowledges search engine crawler requests by parsing the Consumer-Agent header

If proxymode is ready, as a substitute of redirecting the crawlers to a malicious URL, IISerpent forwards the crawler request to its C&C server proxyurl, and replaces the HTTP response physique with the acquired knowledge. That is utilized to all of the HTTP requests with spider, bot or baidu.com/ within the Referer header, or optionally to requests with the strings Android or AppleWebKit within the Referer header. Moreover, the malware may be configured to:

  • Solely deal with these HTTP requests the place the IIS server has set the response standing to 404
  • Ignore requests coming from a configurable listing of banned IP addresses

Lastly, IISerpent can have a listing of hyperlinks configured and add these hyperlinks to the HTTP response physique for any search engine crawler requests. These hyperlinks are added as HTML entities to the present HTTP response physique:

<a href=’/<hyperlink><timestamp1>_<timestamp2>_<randomId>.html’></a>

Different notable serpents

IISerpent isn’t the one recognized malicious IIS module with Web optimization fraud capabilities – out of the 14 malware households we analyzed for our paper Anatomy of native IIS malware, six have help for Web optimization fraud methods. In these households, the Web optimization fraud performance is commonly bundled with different malicious capabilities (similar to backdoor help, or serving malicious content material to official web site guests).

Whereas we first detected IISerpent in Could 2021, we have been in a position to hint the Web optimization fraud phenomenon to the primary publicly recognized case in 2019, when Secpulse revealed an incident report in Chinese language on unnamed malware affecting IIS servers. The evaluation of that malware and its Web optimization fraud capabilities is featured in our white paper beneath the Group 9 class.

The assorted Web optimization fraud households that we analyzed differ within the unethical Web optimization methods supported, and goal a variety of search engine crawlers – specified within the clear (Group 12 within the paper, as proven in Determine 5), as an encrypted listing (Group 9), or obtained on the fly by querying DNS TXT data of the C&C server hostname (Group 11). All these households are detected by ESET safety options as Win32/BadIIS.

Figure 5. Example of strings used to recognize search engine crawler requests by IIS malware

Determine 5. Instance of strings used to acknowledge search engine crawler requests by IIS malware

For a whole breakdown of those different IIS malware households, discuss with our white paper.


IISerpent is a malicious IIS module with uncommon targets and goal, designed to help in shady practices geared toward boosting the web page rank of third-party web sites. Despite the fact that it doesn’t have an effect on official guests of the compromised server, it however nonetheless deserves consideration for distorting search outcomes, and its potential for monetization.

On prime of hijacking the popularity of the compromised web sites, IISerpent could be a trigger for complications for the digital entrepreneurs, as any web site taking part in unethical Web optimization practices may be penalized by search engine algorithms. The very best guess to forestall a compromise by IISerpent (and different IIS malware) is holding your IIS servers updated, and being cautious to not obtain IIS extensions from untrusted sources – be particularly conscious of modules promising too-good-to-be-true options similar to magically enhancing Web optimization. For extra safety, think about using an internet software firewall, and/or a safety answer in your IIS server.

Extra mitigation suggestions and Indicators of Compromise may be present in our complete white paper, and on GitHub. For any inquiries, or to make pattern submissions associated to the topic, contact us at: threatintel@eset.com.

Indicators of Compromise (IoCs)

ESET detection names






Community indicators

URL question parameters


C&C server


MITRE ATT&CK methods

Word: This desk was constructed utilizing model 9 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Useful resource Improvement T1587.001 Develop Capabilities: Malware IISerpent is a custom-made malware household.
Execution T1569.002 System Providers: Service Execution IIS server (and by extension, IISerpent) persists as a Home windows service.
Persistence T1546 Occasion Triggered Execution IISerpent is loaded by the IIS Employee Course of (w3wp.exe) when the IIS server receives an inbound HTTP request.
Command and Management T1071.001 Utility Layer Protocol: Net Protocols Adversaries ship HTTP requests with particular question parameters to the compromised IIS server to manage IISerpent.
Influence T1565.002 Knowledge Manipulation: Transmitted Knowledge Manipulation IISerpent modifies content material served by the compromised server to go looking engine crawlers.


Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts