A Retrospective "TOuR" of Backdoor.Bifrose
Backdoor.Bifrose first came to our attention in 2004. It is a remote administration backdoor tool that allows unauthorized access to a compromised computer. Once installed, the malware has a range of capabilities, including: running processes, opening windows, opening a remote shell, stealing system information (such as passwords, and video game serial numbers), generating screen captures, and capturing video from a webcam, among other functionality. While Bifrose has been analyzed in the past, one of the more interesting features of the Trojan has been neglected or overlooked in most write-ups and analysis of the malware: its optional use of the Tor network. Tor, from the overview on their site:
“Is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.”
After a brief review of Backdoor.Bifrose, below, we’ll describe how the threat makes use of the Tor network using its “hidden services” functionality.
Backdoor.Bifrose is a backdoor detection mechanism for the Bifrost remote administration tool. Bifrost is a fully customizable application, complete with GUI and a basic manual. The configuration options allow a would-be attacker to specify methods of infection, a remote address to attempt to call home to, the Trojan’s installation directory, and some rootkit functionality. This makes common features difficult to predict as they are under the control of the attacker before infection takes place.
Once a computer has been infected, the malware launches Internet Explorer and injects itself into the program’s address space. The malware is now free to communicate with the configured, remote command-and-control (C&C) server without being flagged by system firewalls. The compromised computer will then send some configuration and identification information to the remote attacker, including IP number, hostname, active user, and the version of the client.
When the connection to the C&C server is established, the compromised computer is then under the complete control of the remote attacker. Communication between a compromised computer and the associated C&C server is carried out using an encrypted connection. The Trojan’s C&C servers are typically hosted using a Dynamic DNS, hostname listening on port 81. This predictable pattern of C&C hosts and non-standard IP port made identification of a compromised computer quite trivial based on some cursory analysis of network traffic.
One of the interesting features of the Backdoor.Bifrose Trojan is its modular structure. During infection, the Trojan can install or download the file, “addon.dat.” This file is an encrypted plug-in for the Trojan that provides additional functionality to the attacker, but is not necessary for the basic operation of the Trojan. Thus, the functionality of the malware can be further extended depending on additional plug-ins.
Roughly two years after its initial release, an updated Bifrost was released with some additional, suspicious behaviour. A new plug-in for the Trojan had been developed that, again, could be optionally downloaded or packaged with the threat. The malware’s authors included additional functionality that allowed the malicious C&C protocol to be carried out using Tor routing.
Tor is more generally associated with maintaining client-side anonymity. For example, a user can prevent a remote site from knowing his or her IP address. However, a lesser known feature of Tor is that it enables server-side, or receiver, anonymity. This functionality is known as hidden services.
The use of the Tor network as a communication medium for Trojans is a novel idea and adds an extra layer of stealth and security to the Trojan. The communication method is the same as before, an injected thread in Internet Explorer, but now the Trojan can attempt to call back to a C&C server using Tor’s Hidden Service Protocol.
Figure 1: Bifrose Trojan calling back to its C&C server using Tor’s hidden service protocol
Tor’s hidden services allow users to offer Internet services while remaining anonymous. This is done using internal .onion hostnames. These domains are not actual top level domains (TLDs), but are internal domain names for the Tor network and are only routable from within the Tor network. An .onion domain name is generated on the computer that wishes to provide the hidden service, for example a hidden Web server.
Figure 2: An example of Tor's hidden services.
A unique .onion hostname is generated for the hidden Web server (e.g.: 1aqqwrr3444abtsa.onion). Once the hidden server is connected to the Tor network, it can now be accessed through the .onion hostname and begin to accept connections and provide services anonymously. This type of behavior is very useful from a Trojan’s perspective as it provides a secure communication method while keeping the remote server anonymous. A further benefit for Trojans using Tor routing is the inherent encryption required to use the Tor network. This increases the difficulty of analyzing the communications between the compromised computer and the remote server.
The Tor plug-in for Backdoor.Bifrose requires an .onion hostname to be hardcoded into the Trojan at build time. Once a computer is infected with the Tor version of the Trojan, an injected thread within Internet Explorer attempts to call the Tor-related functions of the plug-in. The Tor plug-in contains the following functions that allow the Bifrose Trojan to use Tor routing: torInit, torConnect, torRead, torWrite, torClose, torShutdown. The Trojan can now operate as normal using the plugged-in Tor functionality to obfuscate communications and preserve the anonymity of the remote C&C server. This behavior also frustrates attempts to block the remote connections at firewall level as no IP or unusual remote port was used.
Since 2004, the popularity of Bifrost has dropped significantly, the remote administration tool is no longer actively developed by its original authors, and the Tor plug-in no longer works. While we have seen a number of private builds, identifiable by their version numbers, it seems the Trojan is reaching the end of its lifecycle. It remains as one of the first examples of a Trojan actively using the Tor network to obfuscate its remote communications.
Symantec currently detects this family of Trojans as Backdoor.Bifrose. Symantec recommends that you keep your definitions and signatures up to date to ensure protection against threats mentioned in this blog.
Thanks to Gavin O’Gorman for his input on this blog.