Threat behavior
Backdoor:Win32/Bifrose.ACI is a backdoor Trojan that allows a remote attacker to access to the compromised computer, and injects its processes into the Windows shell and Internet Explorer.
Installation
When executed Win32/Bifrose.ACI writes a copy of itself to the local computer. The file name and path of this copy may vary according to minor variant. See below for examples of file names and paths used by samples submitted to Microsoft from the wild:
<system folder>\bitfrost\server.exe
<system folder>\drivers\ctfm0n.exe
<system folder>\services\service.exe
%ProgramFiles%\Bifrost\svchost.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The Trojan adds a registry entry to load the written copy at each Windows start. The entry corresponds to the file written, as in the following examples:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}\
stubpath = "<system folder>\bitfrost\server.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
Installed Components\{B9D86CC7-0AD1-8235-EDD2-8D0FAFEA004B}\
stubpath = "<system folder>\drivers\ctfm0n.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
Installed Components\{061AF0F9-6007-B9B4-96FB-128B2A87067B}
stubpath = "<system folder>\services\service.exe s"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}
stubpath = "%ProgramFiles%\bifrost\svchost.exe s"
Win32/Bifrose.ACI injects code into the Windows shell application Explorer.exe, and initiates a hidden instance of Internet Explorer (Iexplore.exe), also injecting its code into this process.
Payload
Backdoor Functionality
Win32/Bifrose.ACI connects to a remote IP address using either TCP port 81, or a random port allowing an attacker access to the computer.
The Bifrose Trojan family is highly configurable. Thus, the locations of its installed files on an infected computer and TCP connection ports will vary. Commands can be sent to the installed Trojan that allow an attacker to perform any of the following actions on the affected machine:
-
Manage running processes
-
Manipulate files or registry data
-
Obtain installed program details
-
Log keystrokes
-
Screen capturing
-
System shutdown or reboot
-
Command shell
Prevention
