SYNOPSIS:
A malware author known as "Tataye" has created a number of "The Beast" trojans, originally known as the "Ulysses" trojan, dating back to May of 2002. As of his "18" version of Ulysses, the trojan was renamed to "Beast" where it's had several reiterations since. "Beast," through its many iterations has suffered reliability problems which resulted in it being largely a "zoo" trojan not commonly found in the wild until recently. As of his 1.90 release, "Beast" has possessed "DLL injection" capability with code that was originally "open sourced" in the original "Back Orifice" trojan. Recently released trojans in the "Beast" series suffered a number of technical flaws which caused it to fall into disfavor among those who distribute these owing to its complexity and the problems that complexity caused on "victim machines" in the wild. It failed to function in most installations and was easily detected and disposed of.
On December 9, 2003, with the release of "Beast 2.05," Tataye has finally overcome the flaws in his design and has issued a fully functional backdoor RAT with significant new capabilities, as well as stabilization of the original capabilities which include DLL Injection into other processes so as to achieve "stealth," Firewall and antivirus killing (which disables antivirus and other security programs entirely), injecting into the memory space of "trusted programs" permitted to access the internet, and numerous other features commonly found in many backdoor trojans, including firewall bypassing (FWB), remote thread injection, cloaking, process stealthing, ActiveX startup, password enumeration and theft, the ability to use tunneling in local area networks, port stealthing and many other techniques.
In the author's own words, the following additional features have been added to "Beast 2.05" in addition to the stabilization of prior "features" as described above:
Before using this program is STRONGLY RECOMMENDED to read the help within the executable (click the Help button). What's new: - LANBypass feature (reverse connection) - plugin system - speeded up the transfers (recoded from scratch) - DialUp passwords support - better multithreading - statistics window - multilanguage help - many improvements: Screen Manager, KeyLogger, FileManager etc. - fixes: 9x crashes (with email notification), webcam etc. Important: - on a machine is allowed only 1 beast server, doesn't matter what version - you can't update the older servers (2.02, 2.01) from Beast 2.05 client
A screenshot of two of the edit server screens is shown below to provide an idea of the configurability of the trojan to suit a particular attack can be seen below - each configuration option results in a different remote server file structure which varies with each configuration option. This makes file-scanning methods difficult.
Main screen of the "Beast 2.05 Edit server:"
Miscellaneous settings screen of the "Beast 2.05 Edit server:"
While "DLL/memory/process injection" is now done by many backdoor trojans and dates back to the 1990's, Beast 2.05 is the first time that it's been perfected by this particular author. In addition, "The Beast" has received a lot of attention in the media at a time when it was not actually a serious threat owing to its instabilities. It is because of this prior undeserved attention, along with the many other new capabilities that it's already proven to be more popular than any prior backdoor - with over 900 downloads on one host site that has a counter and many more from the author's underground site as well as heavy activity on the hack/crack IRC channels. We expect to see massive use of this backdoor in the coming days.
An example of the DLL injection capabilites can be seen below in a
screenshot taken from one of our in-house laboratory tools where it has
been injected into Internet Explorer, which is typically a "trusted
application" to most firewalls where it "piggybacks" on top of IE. We
have highlighted the "DXDGNS.DLL" injection in yellow in the "threads"
listing so you can see it injected into Internet Explorer:
As of this report, copies have already been seen in a number of usenet
newsgroups and in peer-to-peer networks such as Kazaa, eDonkey and others
masquerading as harmless downloads. This is the reason for our concern. In
addition, there was a considerable amount of press given this trojan prior
when it was dysfunctional and hardly a concern. Given the prior notoriety,
this particular trojan is being embraced by the network of "script kiddies"
and the number of downloads in its first day exceeds classic trojans such as
Netbus, BioNet and Sub7, and is now of equal caliber.
 |  |
Privacy Software Corporation's BOClean 4.11
software, designed to detect and defeat trojan horse programs, is fully
effective in removing these servers regardless of the filename or manner
of delivery and, as is the case with other trojans, can also disable this
program instantly upon detection. BOClean will also remove the files and
registry hooks without the need to disconnect from the internet or reboot
the victim's machine.
COPYRIGHTED MATERIAL:
Copyright (c) 2003 by Privacy Software Corporation.
Permission is granted for the retransmission of this advisory by electronic means. It is not to be edited in any way without the express consent of Privacy Software Corporation. Requests to reprint this information in whole or in part should be directed to technology@privsoft.com.
Disclaimer: The information within this advisory may change without notice and is provided by Privacy Software Corporation AS IS. No warrantees, express or implied, are provided with respect to this information nor should any be construed by the transmission of this information. Any use of this information or its recommendations is solely at the risk of the user.
Contact Privacy Software Corporation at http://www.privsoft.com, http://www.nsclean.com,
email to technology@privsoft.com.Privacy Software Corporation reserves the right
to refuse transmission without further explanation. Under the provisions
of Privacy Software Corporation's customer and website privacy policies,
we cannot divulge email from our customers regarding their experiences
with these trojan horse programs nor can we divulge their identities under
any circumstances.