AT Question

> no vendor will give you ... as a present ...

I repeat my wrong impression about the helpfulness among developers / con-collegues.

EDIT:
See how much learning experience as a top security software beta tester you added to your skills by now, all for free and because you like it so much as your biggest hobby you told the other time, so all are doing you great favors!
I don't think you're a trojan vendor, so now i am asking you very kind for the samples to the address posted above, as only the specialists can decide what they want.
Pretty please with blue eyes and cream on top? Thanks!
It enhances your own registered copy of TDS too (if the code would not already be covered somehow).

BTW i see you don't use sockets nor exec protection

 

@Wayne

a)
"you've been using it for many months (as your posts have shown), yet you're not a registered customer. Can you kindly explain how this is possible?"

This possibility results from a TDS-3 design flaw. I have already sent an email to Gavin and explained how it works ... ;-)

b)
All jokes aside: I consider the detection of the Beast trojan a problem. This trojan has been downloaded more than 10.000 times from the developer's webpage. The TDS signature used for object memory scan is not safe since it is based on the trojans name and can be easily hexedited. Therefore, it would be great if you could add additional signatures for any variants of this popular trojan.


@Seltsam

I can confirm your findings. The Beast 1.92 variants contained in our test archive are also not detected by TDS. Do you know the reason for the many Beast variants? Is this trojan polymorphic or do the developers just upload newly compiled versions under the same version number?

If it is a polymorphic trojan DCS should use a tool like Unisyn AutoMate to generate a multitude of servers. (Kaspersky's signature database indicates how many variants exist.)

If it is not polymorphic please be kind and send your variants to DCS.

 

Andreas, I understand what you mean, but APM is purely an experimental utility that we don't even sell - its completely free, but it's not meant for anti-trojan purposes, and its not made for corporate use. It has an Unload DLL function that we could easily expand to use for trojan disinfection if we wanted, but it's not really an option for the reasons I mentioned before (re: company security policies) - yes, APM would violate most security policies in the same was that TH does, but APM isn't a security program as such nor is it designed for use in corporations (only for personal use and use by individuals), so company security policies aren't an issue with a program like APM, but they are with security programs like anti-virus/anti-trojan/firewall software.

 

Thanks for the heads-up, Andreas. I trust you've informed PSC that there's an issue, since their database purportedly detects all variants of this?

 

Wow


Being someone with very little knowledge on this subject, i'd really like to hear from kevin at boclean on this matter.
Can anyone else out there confirm andreas findings?


Snowbound

 

Kevin and Nancy answered questions about ol' Beast here...

http://www.mickeytheman.com/forums/index.php?showtopic=822

Very eye-opening.

 

So no point asking for some ? Well ok - how about sending those variants in, if they arent detected

At about Beast 1.9 the author decided to upload new recompiled versions and not tell anyone. A lot of downloaders didn't even know it. The only samples around that AV have are those which are submitted by people who realise its a trojan, or that were suspicious.

Since AV get all their files by submissions, its easy to realise there are a lot of variants and trojans completely unknown to AV scanners - but TDS detects a lot of them due to collecting them quickly, and a lot of variants are detected by other scan methods - as you say, by memory scanning.

 

geeeeeeeeez!

What a monster this beast is. Your'e right JimIT, that article is an eye opener.

Nancy seems to think the test was run on 4.10 version so i guess u can take solace from that.

I like boclean because it is so easy to use but for some reason i have my doubts on it's abilities in handling this trojan.

Can boclean and tds be run together happily?

TDS is confusing to me but i've read many forums here about it's excellent trojan detection.

Thanks JimIT

Take care
Snowbound

 

Just for clarity, TDS detects BEAST 1.7 1.72 and 1.73 (which is the same as 1.7 Final) as Ulysses

Scan Control Dumped @ 12:47:39 05-11-03
Positive identification: RAT.Ulysses 1.73
File: e:\beast\1.7 final\dropped\hservms.exe

From 1.72 from memory he renamed it to BEAST but we didnt. From v1.8 (which is detected so im not sure about your sample Andreas) we decided to agree and call it BEAST instead

 

Tested using a Windows 2000 Administrator account, BOClean 4.11 and DLL injection into explorer.exe . But well ... I already sent the server to PSC.

 

Andreas we received the servers from you, kind thanks for that.

 

Yes that is kind of you to send what you have to both PSC and DCS.

 

When and where did you send it? Just spent a half hour looking around for it. Never received any.

 

Sorry my fault. Something went wrong. Resend the server to    nancymca@privsoft.com ... .

 

The file was recived on your retry. Thank you.

 

Seeing Snowbound's question unanswered:
Yes, you can run TDS and BOClean very fine together on one system.
It's still a pity BOClean has no evaluation version, to try before you decide to keep them both, on the other hand they also have a very good money-back policy (jsut in case).
For sure in several weeks you're going to ask the same for the next TDS-4 families: no problems expected in those either.


We all see the questions are taken very serious by all developers involved here, cooperating and dealing with the beast!

 

Thanks jooske!

That's all i need to know.
Tds will be going in my box for sure now. I've already trialed it, just waiting for confirmation on boclean and tds being happy family.

Hey jooske, i've had wormguard for a long time now. Great product. Saved my bacon more times than i like to remember. Do u know if the release date will be the same for both products?

Take care
Snowbound

 

I trialed tds long before i had boclean.

Just so that is clear.

 

geez, gotta learn to check
my message before i post

 

Well, I know Nancy told me not to say anything, but I just can't stay quiet after what I've been put through, having to go back through 22 versions and 220 different variants of "Beast," constructing new servers in each of the permutations and testing each and every one since Andreas' original posts didn't quite identify WHICH "Beast" wasn't supposedly detected by BOClean. So all the way back to Tataye's Ulysses and everything in between kept me trapped in the lab for better than 16 hours before we finally got a copy of the file in question. Sorry for not having the time to stop in here prior to now, but for us if there's a problem all hands go to locating and/or solving it. Public relations efforts are not a priority to us - getting to the bottom of a situation is.

Upon receipt, prior to my getting some much needed sleep, first order of business was to get Andreas' "server" down to the lab. As soon as it was run, it was immediately detected, the "Beast" that he sent was detected as "Ulysses 17B" (which is the MSGDPP.COM file that's placed into the COMMAND subfolder for autostart protection) and the "BSTREM1" DXDGNS.DLL component was immediately shut down as soon as it started. So I went to bed. As it turns out, claims that BOClean "does not detect" are FALSE! Same for the "cannot handle injections" nonsense. In fact, the version that Andreas was using is actually one of the EASIER beasts to deal with. Some of them intertwine so severely that a reboot is required for a couple of the configurations that have bugs in them as they'll just wedge the system entirely when removed.

So ... although I've been advised by management NOT to have posted this, I would like to offer a proposal. There's nothing worth doing an update for tonight, so in the interest of allowing a fair and IMPARTIAL observer here to perform a test, we'll NOT do an update for 24 hours from now in order to ensure that there's no "hanky panky" after having received Andreas' "server" if someone here who has BOClean wants to do a Google for "Beast" and download the trojan and run it against BOClean and post impartial test results. If Paul W or anyone from Wilders.org wants to do it, contact Nancy for a copy of the file that Andreas sent claiming it's undetectable and see for yourself. His was "220" as we name them, version "2.02" on the Beast download site.

I'm rather angry that I've been put through yet another "scareware" episode in order to make a competitive product that Andreas is involved with look like the "only solution" when in fact "injectors" have been around for EONS. Might be news to the newcomers in the security business, but anyone who's gotten a dose of "spyware" has had an injector in their machine. In fact, the first major injector that wasn't a "concept virus" was known as Back Orifice 2000 (BO2K) released over 3 years ago. AND they published their "how to" source code at the time. Other trojan toolkits like "Elirt," "afxCode" (which is what is in the Beast) and "Madshi" derive from the original open source "Back Orifice/Cult of the Dead Cow" code. There's literally THOUSANDS of "injectors" out there. Nothing special about "Beast" at all.

As is the case with many of these turdhunts, a lot of time was wasted over nothing, and our customers have had to suffer delays in responses from us as a result. I'm NOT a happy camper.

 

Snowbound, WG will most probably not be released at the same date, but soon, so watch the WG forum for news about that.
Completely rewritten from scratch, so even less compatibility problems if there ever were to be expected.
So be happy with BOClean, TDS, WG (and more) all together on your system.


Kevin, thanks for dropping by and the fine information and confirmation. Your outstanding support and user friendlyness are known all over the internet, so i just mentioned the moneyback policy for those who might have forgotten that part
I'm sure all people will appreciate your explanation here and i hope it will take away some fears. It will be good for something and you might like to use it as a little white paper on your sites.
Experience comes with doing it, knowledge and with the years, - - - people's ages have been mentioned more often in this connection and all time when AH was involved.
BO2K was released 10 july 1999, with lots of promotion. It's been mentioned in lots of connections to other nasties, looks like it's release changed the world from more or less safety into what keeps AT fighters very busy.

 

May I ask what operating systems you used?

Tested it with Windows 98 SE and Windows 2000 so far.

Could you please check if the file is digitally signed by me, Paul? Just to be sure ... .

 

@Kevin & Paul

Could you please clarify:

Does BOClean detect the DLL injector (.exe file) or the trojan DLL itself, i.e., does BOClean's mem scanner offer a full module scan or merely a process scan?

IMHO it is not safe to merely detect the injector because custom injectors or stand-alone injectors like Nuclear Inject can be used instead. Moreover, there is the possibility to statically inject a DLL.

Thanks.

Btw.: There was a big thread at dslreports security forum where TDS and several others scanners failed to detect y3k samples patched with a hex editor. I believe that nobody (including Wayne) has mentioned yet that TDS was able to detect the patched samples right from the beginning. Only the TDS file scanner but not the memory scanner was affected. By contrast, the other scanners were completely unable to detect the patched samples.