DDI RULE 397
Possible BIFROSE - TCP
OVERVIEW
BIFROSE malware are backdoors that often arrive on systems either downloaded by unsuspecting users when visiting malicious sites or downloaded by other malware/spyware from remote sites. They may also be dropped by other malware. Some BIFROSE variants have rootkit capabilities, enabling them to hide processes and files from the user. As backdoor malware, BIFROSE variants connect to various URLs or remote IPs to send and receive information from a malicious user. This allows a remote malicious user to gain control over affected system. Thus, a remote user is able to execute files, screen capture, keylog, view system information, view processes, and retrieve user names and passwords. In 2010, BIFROSE variants have been spotted as the final payload for threats such as spammed messages, with the user inadvertently downloading the said variants through malicious links in the spammed emails.
Related Malware:
TECHNICAL DETAILS
Attack Phase: Command and Control Communication
Protocol: TCP
Risk Type: MALWARE
Threat Type: Suspicious behavior
Confidence Level: Low
Severity: Low(Outbound)
DDI Default Rule Status: Enable
Event Class: Callback
Event Sub Class: Bot
Behavior Indicator: Callback
APT Related: NO
SOLUTION
Did this description help? Tell us how we did.