E-commerce website operators need to be aware of malware that targets web servers in order to steal credit card data when site customers submit the data.
In addition to taking sensitive information, the malevolent DLL (dynamic link library), dubbed “ISN,” is masked as a component for Microsoft Internet Information Services (IIS) web-hosting software, researchers on Trustwave’s SpiderLabs team found.
John Miller, a security manager at Trusttwave, told a news source last Wednesday that hackers “broke into the web servers” of victims in a few, limited instances and installed ISN. The malware was branded as these where the character strings that showed up in all of the malware’s commands.
ISN steals the information by capturing POST requests, which are requested when submitting form data on sites, Miller stated.
“Anytime you are filling out a form in your browser, it captures data on the server side,” Miller said. “We’ve only seen it going after credit card numbers currently, but it could go after any information you submit on a website.”
As outlined by experts, the installer component of the malware has four embedded DLLs, which are used at any time. The DLL set up is determined by which Microsoft software the target runs – IIS6 or IIS7+.
You can view the full analysis and code here. In the analysis, they recovered a VBS file that the malware utilizes, you can view the code below.