There is new malware out there that collects data entered into Web-based forms, pretending to be a module for Microsoft’s Internet Information Services (IIS) web-hosting software, researchers said.
The malware, called “ISN,” is new and not hitting a wide area yet, but its characteristics seem intriguing, said Josh Grunzweig, a Trustwave SpiderLabs malware researcher on a blog.
ISN is a malicious DLL (dynamic link library), installed as a module for IIS, Grunzweig said. ISN’s installer contains four versions of the DLL, one of which serves up depending on whether a victim uses the 32- or 64-bit version of IIS6 or IIS7+.
“This module is of particular concern as it is currently undetectable by almost all anti-virus products,” Grunzweig said.
If ISN’s installer ends up detected, it’s usually through “general heuristic detection,” Grunzweig wrote, which means security software is looking at aspects of it that are suspicious and flagging it, such as if it is sending data to another server.
ISN collects data from POST requests and the stolen information ends up lifted from within IIS itself, which circumvents encryption, and then sent elsewhere. The malicious module can end up configured to monitor information from specific URIs (uniform resource identifier), Grunzweig said.
So far the malware is “targeting credit card data on e-commerce sites, however, it could also be used to steal logins, or any other sensitive information sent to a compromised IIS instance,” he said.