Author Topic: "The Beast" new trojan  (Read 657 times)

Offline Ulysses

  • Member
  • **
  • Posts: 769
"The Beast" new trojan
« on: October 17, 2003, 02:59:06 PM »
Got this from the support alert mailing list:



EDITORIAL



I have seen The Beast and my heart has been smitten with fear.



No, folks, I haven't gone all religious. I'm talking about this year's hot

trojan horse called "The Beast."



The Beast is one of the new generations of "process-injecting" trojans. To

avoid detection these trojans attach themselves to a process that forms a

key part of the Windows operating system itself.



In the case of The Beast, the processes chosen for infection are

winlogon.exe and explorer.exe. These have been selected because they are

always present on any XP/2000/NT-based PC.



This stealthing approach makes The Beast particularly hard to detect.  

Certainly a normal process scanner won't reveal its presence and almost all

common anti-virus scanners will miss it as well.



Killing the trojan is also difficult as it resides within a process

essential for the operation of Windows.  Killing the process will also kill

Windows.



And if you think that the .dll checksum feature in your firewall will help

you,  think again. The particular version of The Beast I tested came with a

module that pulled down 32 of the most popular firewalls and anti-virus

scanners and many anti-trojan monitors as well.



Watching a PC being infected by this kind of trojan is a scary experience.

Terrifying, actually.



I ran The Beast on a test PC set up with the same extensive protection that

I use on all my normal working PCs.



I just sat by and watched Norton Anti-Virus 2003 disappear, closely

followed by my Sygate Personal Firewall Pro and the BoClean anti-trojan

monitor.  Not only were these defenses pulled down, they were permanently

destroyed so they could not be restarted.



Once The Beast has infected your PC the attacker essentially has complete

control. He/she can view, upload or erase any of your files and log all

your keystrokes including your all your passwords. Worse still, you may not

even know your PC is infected.



So what do you do to protect yourself again these evil products?



Well, practicing "safe hex" is a start. You can get a free guide to what's

involved at http://www.claymania.com/safe-hex.html, and you'll find lots

more if you do a Google search under "safe hex."



But it's almost impossible to practice 100% safe hex. In fact, doing so

would, for many users, just about ruin the pleasure of using their PC. It

would mean, for example, not downloading any programs, movies or other

executables, as well as a total end to file sharing.



If you are not prepared to make this sacrifice, you should protect yourself

using every weapon available. A regularly updated anti-virus program is

mandatory as is a robust firewall.  You should also seriously consider a

specialist anti-trojan program with powerful file scanning capabilities so

that you can detect trojans before they are executed.



Even here the news is not all good. There are a lot of anti-trojan programs

available but frankly only two of them cut the mustard. These are TDS-3 and

Trojan Hunter 3.  Most of the others are useless against the latest

generation of trojans.



I know this opinion will offend a lot of people who have their own favorite

anti-trojan programs. I know too, it will offend many vendors.  However I'm

prepared to stand by what I think and have documented the reasons over at

http://www.anti-trojan-software-reviews.com.  



Trojans are becoming ever more sophisticated. Each new trojan generation

becomes more difficult to detect and is armed with ever more aggressive

weapons aimed at your defenses.



There will never be 100% protection. I wish I could tell you otherwise, but

this, unfortunately, is the harsh truth.





Gizmo Richards.



mailto:editor@techsupportalert.com

Offline idolkosimanoy

  • Member
  • **
  • Posts: 1049
"The Beast" new trojan
« Reply #1 on: October 17, 2003, 03:51:59 PM »
@Ulysses:



is this the same "beast" by tataye?  tried d/l it but was intercepted by mcafee 6.0.  first, i was prompted by mcafee if i wanted it to be deleted.  so i choose yes.  but, funny thing, it was not deleted.  then i opened the folder containing the zip file, scanned the zip and again was prompted by mcafee on the course of action.  this time i was successful in deleting the file.  will try testing again...



dang, have to update my anti-virus prog and firewall apps...!  =(
"West travelling East, seeking that of which was lost!" - A Widow's Son

Offline dean

  • Administrator
  • Member
  • *
  • Posts: 3618
    • http://www.pinoypc.net
"The Beast" new trojan
« Reply #2 on: October 17, 2003, 04:04:59 PM »
sounds like a scary...
Make yourself heard
Portable Strobist Kit for Rent!
Includes: 2in1 shoot thru/reflective umbrella, lightstand, RF trigger/receiver, 8pcs AA sanyo eneloop, nissin di622, gel filters

clown

  • Guest
"The Beast" new trojan
« Reply #3 on: October 17, 2003, 07:55:24 PM »
do the netstat command in dos and see the active network connections.



mas masakit siguro pag na compress pa yang trojan na yan.

Offline Ulysses

  • Member
  • **
  • Posts: 769
"The Beast" new trojan
« Reply #4 on: October 17, 2003, 08:07:32 PM »
@idolkosimanoy: wala akong alam sa trojan na yan, it just sounded nasty enough to post here as a warning.

Offline idolkosimanoy

  • Member
  • **
  • Posts: 1049
"The Beast" new trojan
« Reply #5 on: October 18, 2003, 09:52:42 AM »
@Ulysses:



yep, that's one nasty trojan!  its nastiness comes from its simplicity (i've seen the code...).  



to the rest, just follow the simple rule of not opening questionable attachments even if it comes from one of your contacts.  if you're not expecting any attachments from your friends/collegues then don't open it.  also, always check the filename (i have encountered an attachment like this  <filename>.jpg.scr and <filename>.pps.exe), especially if your configuration is to hide the extension name of commonly known files (the last name, i.e. .scr or .exe, are the true extension name and considered as executable by windows OS).
"West travelling East, seeking that of which was lost!" - A Widow's Son

Offline blahz

  • Member
  • **
  • Posts: 776
"The Beast" new trojan
« Reply #6 on: October 18, 2003, 10:08:07 AM »
Big deal, alot of new variants and new kinds of trojan/virri gets released alot.



Well that's another addition to the AV center dbase.
Greed begets stupidity. - TNT2Bluz