The server component (29,053 bytes) is dropped to C:\Program Files\Bifrost\server.exe with default settings and, when running, connects to a predefined IP address on TCP port 81, awaiting commands from the remote user who uses the client component. It can be assumed that once all three components are operational, the remote user can execute arbitrary code at will on the compromised machine. The servers components can also be dropped to C:\Windows and file attributes changed to "Read Only" and "Hidden". Casual users may not see the directories by default due to the "hidden" attributes set on the directory. Some anti-virus (example AVG - 17th Feb 2010) seems to miss the file.
The server builder component has the following capabilities:
- Create the server component
- Change the server component's port number and/or IP address
- Change the server component's executable name
- Change the name of the Windows registry startup entry
- Include rootkit to hide server process
- Include extensions to add features (adds 22,759 bytes to server)
- Use persistence (makes the server harder to remove from the infected system)
- Process Manager (Browse or kill running processes)
- File manager (Browse, upload, download, or delete files)
- Window Manager (Browse, close, maximize/minimize, or rename windows)
- Get system information
- Extract passwords from machine
- Keystroke logging
- Screen capture
- Webcam capture
- Desktop logoff, reboot or shutdown
- Registry editor
- Remote shell
Aucun commentaire:
Enregistrer un commentaire