Threat Descriptions

Backdoor:W32/Bifrose

Classification

Category :

Malware

Type :

Backdoor

Platform :

W32

Aliases :

Backdoor:W32/Bifrose, Backdoor.Win32.Bifrose, Mal/Bifrose-A (Sophos), Backdoor:Win32/Bifrose (Microsoft), BKDR_BIFROSE (Trend Micro)

Summary

A remote administration tool (RAT) that bypasses the security features of a program, computer or network to give unauthorized access or control to its user.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Backdoor:W32/Bifrose is large family of Remote Administration Tools (RAT) that can be exploited by remote users to gain control over a system on which the program is installed.The backdoor has the following functionalities:

  • File Manager
  • Process Manager
  • Keylogger
  • Screen capture
  • Cam capture
  • Remote shell
  • Registry editor
  • Find passwords

The program also has the following server options:

  • Can connect through Socks 4 proxies.
  • Able to user TOR plugin, useful for hiding the network activity
  • Persistent server option (if the file is deleted, it will rewrite itself again to the disc and registry)
  • Able to inject itself to user defined processes
  • Can include plugins pack for more functionality
  • Offline keylogger

Installation

The server is usually installed in to following folders:

  • %Program Files%
  • %System%
  • %Windir%

After the installation, Bifrose tries to locate a running web browser and inject code into it. The injected code is the actual backdoor. The backdoor starts to communicate with the server part using specially crafted HTTP queries. The server can instruct the backdoor to execute the following actions:

  • Basic file operations (copy, delete, rename, find, execute)
  • Download/upload files
  • Process operations (list, kill)
  • Registry operations (create/delete keys/values)
  • Create screenshots of the desktop

Registry

During installation, the following registry key is created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1D04E0BB-B63D-8FA6-6553-5E619BB865DB} stubpath = "C:\Program Files\Bifrost\server.exe"

Where {1D04E0BB-B63D-8FA6-6553-5E619BB865DB}is always random.and the usual mutex name used is:

  • Bif123 (user defined)

The backdoor also creates the following registry key for storing information:

  • [HKLM\Software\Wget]