Bifrost (Trojan horse)

From Wikipedia, the free encyclopedia
  (Redirected from Bifrost (trojan horse))
Jump to: navigation, search
For other uses, see Bifrost (disambiguation).
Bifrost trojan horse family
Common name Bifrost
Technical name Bifrost
Aliases (Windows Metafile vulnerability-related: Backdoor-CEP, Bifrost), Backdoor-CKA, Agent.MJ
Family Bifrose
Classification Trojan
Type Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows Server 2003, Windows 7
Subtype Backdoor
Isolation 2004 - present
Point of isolation Unknown
Point of Origin Sweden
Author(s) ksv

Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 7. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).

The server component (29,053 bytes) is dropped to C:\Program Files\Bifrost\server.exe with default settings and, when running, connects to a predefined IP address on TCP port 81, awaiting commands from the remote user who uses the client component. It can be assumed that once all three components are operational, the remote user can execute arbitrary code at will on the compromised machine. The server components can also be dropped to C:\Windows and file attributes changed to "Read Only" and "Hidden". Casual users may not see the directories by default due to the "hidden" attributes set on the directory. Some anti-virus programs (example AVG - 17th Feb 2010) seem to miss the file entirely.

The server builder component has the following capabilities:

  • Create the server component
  • Change the server component's port number and/or IP address
  • Change the server component's executable name
  • Change the name of the Windows registry startup entry
  • Include rootkit to hide server processes
  • Include extensions to add features (adds 22,759 bytes to server)
  • Use persistence (makes the server harder to remove from the infected system)

The client component has the following capabilities:

On December 28, 2005, the Windows WMF exploit was used to drop new variants of Bifrost to machines. Some workarounds and unofficial patches were published before Microsoft announced and issued an official patch on January 5, 2006. The WMF exploit is to be considered extremely dangerous.

Older variants of Bifrost used different ports, e.g. 1971, 1999; had a different payload, e.g. C:\Winnt\system32\system.exe; and/or wrote different Windows registry keys.

See also[edit]

External links[edit]