Bifrose (trojan horse)
From Wikipedia, the free encyclopedia
Common name | Bifrost |
---|---|
Technical name | Bifrost |
Aliases | (Windows Metafile vulnerability-related: Backdoor-CEP, Bifrost), Backdoor-CKA, Agent.MJ |
Family | Bifrose |
Classification | Trojan |
-Type | Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows Server 2003 |
-Subtype | Backdoor |
Isolation | 2004 - present (new variants being released) |
-Point of Isolation | Unknown |
-Point of Origin | Sweden |
Author(s) | ksv |
Bifrost is a backdoor trojan horse family of more than 30 variants which can infect Windows 95 through XP. Bifrost uses the typical server, server editor, and client backdoor program configuration to allow a remote attacker, who uses client) to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).
The server component (15,023 bytes) is dropped to C:\Winnt\system32\Trojan.exe and, when running, connects to a predefined IP address on TCP port 2000, awaiting commands from the remote user who uses the client component. It can be assumed that once all three components are operational, the remote user can execute arbitrary code at will on the compromised machine.
The server editor component has the following capabilities:
- Create the server component
- Change the server component's port number and/or IP address
- Change the server component's executable name
- Change the name of the Windows registry startup entry
The client component has the following capabilities:
- Process Manager (Browse or kill running processes)
- File Manager (Browse, upload, download, or delete files)
- Windows Manager (Browse, close, maximize/minimize, or rename windows)
- Get system information
- Extract passwords from machine
- Key logger
- Screen capture
- Desktop logoff, reboot or shutdown
On December 28, 2005, the Windows WMF exploit was used to drop new variants of Bifrose to machines. Some workarounds and unofficial patches were published before Microsoft announced and issued an official patch on January 5, 2006. The WMF exploit is to be considered extremely dangerous.
Older variants of Bifrose used different ports, e.g. 1971, 1999; had a different payload, e.g. C:\Winnt\system32\system.exe; and/or wrote different Windows registry keys.
[edit] See also
[edit] External links
- BackDoor-CEP, by McAfee, covers server behavior of a Bifrose variant dropped exploit WMF
- BackDoor-CEP.cfg, by McAfee, covers client and server editor behavior of said Bifrose variant
- Backdoor-CKA, by McAfee
- Backdoor.Bifrose, by Symantec
- Backdoor.Bifrose.C, by Symantec
- Troj/Bifrose-AJ, by Sophos
- ChaseNET, Bifrost Homepage