Bifrost (Trojan horse)


Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine.
The server component is dropped to C:\Program Files\Bifrost\server.exe with default settings and, when running, connects to a predefined IP address on TCP port 81, awaiting commands from the remote user who uses the client component. However, both installation directory and TCP port can be changed.
TCP connection is encrypted by a password, but this can be changed as well.
It can be assumed that once all three components are operational, the remote user can execute arbitrary code at will on the compromised machine. The server components can also be dropped to C:\Windows and file attributes changed to "Read Only" and "Hidden". Casual users may not see the directories by default due to the "hidden" attributes set on the directory. Some anti-virus programs seem to miss the file entirely.
The server builder component has the following capabilities:
The client component has the following capabilities:
On December 28, 2005, the Windows WMF exploit was used to drop new variants of Bifrost to machines. Some workarounds and unofficial patches were published before Microsoft and issued an official patch on January 5, 2006. The WMF exploit is to be considered extremely dangerous.
Older variants of Bifrost used different ports, e.g. 1971, 1999; had a different payload, e.g. C:\Winnt\system32\system.exe; and/or wrote different Windows registry keys.
Bifrost was designed at a time when Windows UAC wasn't yet introduced. For this reason, Bifrost is unable to install itself on modern Windows systems, unless it is launched with administrator privileges.