BIFROSE
Bifrose
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Via social networking sites, Downloaded by other malware/grayware/spyware, Dropped by other malware
BIFROSE malware are backdoors that often arrive on systems either downloaded by unsuspecting users when visiting malicious sites or downloaded by other malware/spyware from remote sites. They may also be dropped by other malware.
Some BIFROSE variants have rootkit capabilities, enabling them to hide processes and files from the user.
As backdoor malware, BIFROSE variants connect to various URLs or remote IPs to send and receive information from a malicious user. This allows a remote malicious user to gain control over affected system. Thus, a remote user is able to execute files, screen capture, keylog, view system information, view processes, and retrieve user names and passwords.
In 2010, BIFROSE variants have been spotted as the final payload for threats such as spammed messages, with the user inadvertently downloading the said variants through malicious links in the spammed emails.
TECHNICAL DETAILS
Yes
Compromises system security, Hides files and processes
Installation
This backdoor drops the following files:
- %Program Files%\MSNZONE\msos.dat
- %System%\Systems.exe\klog.dat
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %Program Files%\MSNZONE\msnzone.exe
- %System%\Bifrost\server.exe
- %System%\Systems.exe\usnsvcc.exe
- %System%\reader_s.exe
- %User Profile%\reader_s.exe
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)
It creates the following folders:
- %Program Files%\MSNZONE
- %System%\Systems.exe
- %System%\Bifrost
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
reader_s = "%User Profile%\reader_s.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
reader_s = "%System%\reader_s.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{7F4D8324-5900-2C20-FB03-FAA51F3FC4F5}
stubpath = "%Program Files%\MSNZONE\msnzone.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath = "%System%\Systems.exe\usnsvcc.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath = "%System%\Bifrost\server.exe s"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_CURRENT_USER\Software\MSNZONE
HKEY_LOCAL_MACHINE\SOFTWARE\MSNZONE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{7F4D8324-5900-2C20-FB03-FAA51F3FC4F5}
HKEY_CURRENT_USER\Software\Bifrost
HKEY_LOCAL_MACHINE\SOFTWARE\Bifrost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}erver.ru
- googlenews.{BLOCKED}s.com
- usurpname.{BLOCKED}p.org
- hackerfatal.{BLOCKED}p.org