DDI RULE 397


 DESCRIPTION NAME:

Possible BIFROSE - TCP

 CONFIDENCE LEVEL:
 SEVERITY INBOUND:
 SEVERITY OUTBOUND:
Informational
Low
Medium
High

  OVERVIEW

BIFROSE malware are backdoors that often arrive on systems either downloaded by unsuspecting users when visiting malicious sites or downloaded by other malware/spyware from remote sites. They may also be dropped by other malware. Some BIFROSE variants have rootkit capabilities, enabling them to hide processes and files from the user. As backdoor malware, BIFROSE variants connect to various URLs or remote IPs to send and receive information from a malicious user. This allows a remote malicious user to gain control over affected system. Thus, a remote user is able to execute files, screen capture, keylog, view system information, view processes, and retrieve user names and passwords. In 2010, BIFROSE variants have been spotted as the final payload for threats such as spammed messages, with the user inadvertently downloading the said variants through malicious links in the spammed emails.

Related Malware:

  TECHNICAL DETAILS

Attack Phase: Command and Control Communication

Protocol: TCP

Risk Type: MALWARE

Threat Type: Suspicious behavior

Confidence Level: Low

Severity: Low(Outbound)

DDI Default Rule Status: Enable

Event Class: Callback

Event Sub Class: Bot

Behavior Indicator: Callback

APT Related: NO

  SOLUTION

Network Content Inspection Pattern Version: 1.11999.00
Network Content Inspection Pattern Release Date: 16 Dec 2013
Network Content Correlation Pattern Version: 1.12467.00
Network Content Correlation Pattern Release Date: 07 Mar 2016


Did this description help? Tell us how we did.