BKDR_BIFROST


 ALIASES:

Bifrose

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Via social networking sites, Downloaded by other malware/grayware/spyware, Dropped by other malware


BIFROSE malware are backdoors that often arrive on systems either downloaded by unsuspecting users when visiting malicious sites or downloaded by other malware/spyware from remote sites. They may also be dropped by other malware.

Some BIFROSE variants have rootkit capabilities, enabling them to hide processes and files from the user.

As backdoor malware, BIFROSE variants connect to various URLs or remote IPs to send and receive information from a malicious user. This allows a remote malicious user to gain control over affected system. Thus, a remote user is able to execute files, screen capture, keylog, view system information, view processes, and retrieve user names and passwords.

In 2010, BIFROSE variants have been spotted as the final payload for threats such as spammed messages, with the user inadvertently downloading the said variants through malicious links in the spammed emails.

  TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Compromises system security, Hides files and processes

Installation

This backdoor drops the following files:

  • %Program Files%\MSNZONE\msos.dat
  • %System%\Systems.exe\klog.dat

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %System% is the Windows system folder, which is usually C:\Windows\System32.)

It drops the following copies of itself into the affected system:

  • %Program Files%\MSNZONE\msnzone.exe
  • %System%\Bifrost\server.exe
  • %System%\Systems.exe\usnsvcc.exe
  • %System%\reader_s.exe
  • %User Profile%\reader_s.exe

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %System% is the Windows system folder, which is usually C:\Windows\System32.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It creates the following folders:

  • %Program Files%\MSNZONE
  • %System%\Systems.exe
  • %System%\Bifrost

(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This backdoor adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
reader_s = "%User Profile%\reader_s.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
reader_s = "%System%\reader_s.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{7F4D8324-5900-2C20-FB03-FAA51F3FC4F5}
stubpath = "%Program Files%\MSNZONE\msnzone.exe s"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath = "%System%\Systems.exe\usnsvcc.exe s"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath = "%System%\Bifrost\server.exe s"

Other System Modifications

This backdoor adds the following registry keys:

HKEY_CURRENT_USER\Software\MSNZONE

HKEY_LOCAL_MACHINE\SOFTWARE\MSNZONE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{7F4D8324-5900-2C20-FB03-FAA51F3FC4F5}

HKEY_CURRENT_USER\Software\Bifrost

HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}

Other Details

This backdoor connects to the following possibly malicious URL:

  • {BLOCKED}erver.ru
  • googlenews.{BLOCKED}s.com
  • usurpname.{BLOCKED}p.org
  • hackerfatal.{BLOCKED}p.org