Attention BOClean users - update! Beast 2.05 on the loose

Discussion in 'other anti-trojan software' started by Kevin McAleavey, Dec 10, 2003.

Thread Status:
Not open for further replies.
  1. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    URGENT! Update your BOClean as QUICKLY as you can! Doubleclick the traybar icon and close it and BOClean will automatically update within four minutes or select the "Check for updates" button. Once the update is collected manually, click the "Reload/test update" button to effect the update if you're doing it manually.

    The REASON for the urgency is that a new BEAST 2.05 RAT was released a couple of hours ago and it truly *is* a "beast." Because of the hype by one antitrojan vendor, over 800 copies have ALREADY been downloaded from just one of its host sites. This is a SERIOUS threat simply because of its popularity. And unlike previous versions of the "Beast," THIS ONE WORKS!

    In addition to previous "features" such as firewall and antivirus destruction, the ability to inject itself into ANY process and memory, we have a VERY serious threat on the loose. To quote the author:
    ----------------------------------
    What's new:

    - LANBypass feature (reverse connection)
    - plugin system
    - speeded up the transfers (recoded from scratch)
    - DialUp passwords support
    - better multithreading
    - statistics window
    - multilanguage help
    - many improvements: Screen Manager, KeyLogger, FileManager etc.
    - fixes: 9x crashes (with email notification), webcam etc.
    -------------------------------

    PLEASE UPDATE YOUR BOCLEAN IMMEDIATELY so that you're covered as always. At the time of this alert, none of the other antitrojan or antivirus vendors have dealt with the new "Beast."

    Six new nasties today for a total of 2641 UNIQUE trojans (15,047 trojans, rootkits, adware, spyware, keyloggers and other malware in total, including all variants) covered in today's update for BOClean 4.11. Come and get it at:

    http://www.nsclean.com/update.html

    Doubleclick on your BOClean traybar icon and select "check for update" to have BOClean 4.11 automatically collect and install your update for you. BOClean 4.11 can perform an autoupdate if configured to do so. If you have problems with the autoupdate program, check your firewall settings - we use passive FTP download instead of the more conventional HTTP method and some firewalls may refuse to allow the program to connect unless you set rules to permit the BOClean autoupdate program to collect them. Please consult your firewall's instructions on how to do this if the update program is stopped or crashed by your firewall.

    You can also click down below to download directly from this email if your security settings permit by using the link below:

    ftp://ftp.nsclean.com/pub/411upd.exe (BOClean 4.11)

    Click the above to download. The update is safe to run from the internet if you'd like for automatic install from this email.

    Please also note that if you ever miss an update (or several) the update you collect includes *ALL* previous update information. There is no need to go hunting down other updates. The current one is always complete.
     
  2. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    "Book report" on Beast 2.05 completed if anyone's interested:

    http://www.nsclean.com/psc-bst.html
     
  3. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Yeah. Nasty. F-Secure (as of 15:30 UK time update detects this)

    I notice Trojanhunter does not.
     
  4. claire

    claire Guest

    You're wrong ChrisP,TH does take care of the latest version of the Beast
     
  5. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Yep as of: Ruleset update: 35x-2003-12-10
    « on: Today at 12:52pm »
     
  6. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Im not going to bother arguing about it. The fact is that I downloaded the latest available rulset 30 mins before my original post and it did not detect it.

    End of argument.
     
  7. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Or to more specific. F-Secure detected it before Trojanhunter.
     
  8. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Maybe one should not be so hard on the fact that product A detected a trojan before product B. There are going to be times product A is faster and there are going to be times product B is faster. It might be because of time zones, or it might be because there was a delay in getting the sample for analysis, or something else. While getting the updates out to users promptly is important I dont think one case really establishes that one product is better than the other.

    Quickheal was the first AV with a solution to Klez.h, but that does not make it better than any other AV that issued a solution after they did.
     
  9. controler

    controler Guest

    yes indeed
    doing a google of beast 2.05 brings up the download site for fearless ;)
    NOD-32 detectes it and everything else on that site ;)
     
  10. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    actually mcafee was the first to detect beast 2.05.. some hours after the release of it.. what is the fuss here? beast really is a minor trojan.. 2700 downloads now.. kevin posted this @many security forums, how many of those 2700 are members of wilders, dslreports etc who want to test it on their preferred scanner?? LOL
    this hype on the beast is ridiculous.. it's not that gooda trojan.. far better(more dangerous) rats have been released recently, and there's better ones( currently beta) coming..
    beast has a cool name and a cool icon..but nothing that hasn't been on many rats before..

    everyone disconnect your intenet cables NOW ... the beast is coming LOL... ROFL
     
  11. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I'd call it more educational than hype. At least people are aware of Beast existence. How many people know about Trojan.Xtrantank? Not many but as many other Trojans this one is out there too. Dangerous? Maybe. Wildly used? Not. But it’s good to know and it’s good to be aware of its existence.

    Lets say only two people out of 2700 will incorporate this Trojan into some x most pirated program. You certainly are look at high infection number here. You never know.



    tECHNODROME
     
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    there already are trojans incorporated in most pirated programs.. a friend of mine said that 60-70% of kazaa warez is infected..

    one word: FUD
     
  13. Godzilla

    Godzilla AV Expert

    Joined:
    Nov 1, 2003
    Posts:
    63
    >> shake for me baby.. i wanna be your backdoor man


    ROFL :D
     
  14. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    @Michael: try to sing it "moaning and groaning" like Robert Plant did
     
  15. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    So more post (such as Kevin's) and public awareness about these Trojan should be posted...not FLAMED. One could only benefit from it...


    tECHNODROME
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Michael,

    Looking at your signature:

    I'm surprised they didn't ask you to sign it long time ago ;)

    regards.

    paul
     
  17. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    I suspect there wouldn't have been any particular interest in the Beast by anyone had it not been previously hyped as if it were some sort of "super" trojan and used to spread FUD in claims by another AT vendor. (Such claims still remain uncorrected on their site.)

    Now, possibly as a result of that hype and interest, a newer improved version of the Beast is out which perhaps will be more likely to be used and encountered than otherwise would have been the case due to the original hype over the Beast.

    So now when Kevin alerts to the new improved version and the potential greater likelihood of use, he is accused of FUD.

    Yet the original hype and FUD still stands and I don't seem to recall anyone seriously challenging it or criticising the vendor that made those (false) claims. Except of course perhaps other developers/vendors whose products have been called into question by those claims. (Who are then perhaps somewhat ironically attacked by some onlookers for "bad mouthing" the competition when they are defending their products against the FUD spread by the competition).

    Seems to me that the original FUDmeisters still have been given a free pass.
     
  18. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    to your interest i disliked the previous version hype too.. the ad that you refer to is on the companys site, the vendor in question did NOT post this all over the internet..

    i did not see these posts as awareness increasing, i saw them as software advertising..

    and among the fearless' members the demand for a new beast was big.. for one simple reason: the previous one did not work!
    i doubt if many of them read the anti-trojan sites
    let's see beast 1.91-11500 downloads, beast 2.01-25000 dl's,beast 2.02( the one hyped) -26000 downloads.. not that much..
    you can' really say that the ad by that other at vendor made any significant difference here.. the increase between 1.91 and 2.01
    is explained by the fact that there was new features in 201.. so basically the previous hype has accounted for less than 1000 more downloads..
    the 2.05 has now 3500 dl's about 1000 per day.
     
  19. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    "to your interest i disliked the previous version hype too.. the ad that you refer to is on the companys site, the vendor in question did NOT post this all over the internet."

    Well I seem to recall the company's founder repeating the claims from his site in discussions on perhaps a couple other forums, so that claim was not just limited to the product's site. Additionally, it might be fair to say that the accuracy of those claims (even amended as it stands today) is, to be charitable, somewhat dubious. Do companies get a pass on false advertising and FUD if it's primarily limited to their home sites?

    I can well understand that some folks will take posts such as Kevin's (and other vendors) to be self-serving but he's been around for years and over that time can't be said to have spent considerable time "spamming" forums hyping his product (in my observation and opinion anyway). The post was basically a cut and paste of the update info sent to registered users.

    And given his sense of *cough* tactful communication, LOL, I suspect his posts might actually deter some potential customers who would otherwise be attracted to a more politically correct diplomatic manner of presentation. So I find it difficult to see this as part of some preconceived advertising tactic. But then that's my own perspective. I can't recall being swayed to purchase something simply because of a vendor's posts on chat boards.

    But one thing I think has been alleged by some that Kevin didn't do was claim that his was the only product that could or would be able to deal with this new release. It was just a matter of time and it appears that the usual early birds were on the case, as I think you said McAfee was perhaps among the first to release an update for it. And KAV and so on. (Don't know if their heuristics would have taken care of it prior to the update, perhaps they would have.) Even NOD was updated to include the beastie 2.05 that same day. Whether ESET would have done so without the publicity I don't know. Perhaps so since they appear to be interested in beefing up their trojan detection.

    Anyway, one way or another most of us are now protected against this beastie, whether we ever come across the critter or not. If the prognostication of the potential spread of the critter due to the hype does not happen, one should consider that a good thing IMO. ;)
     
  20. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    I must apologize to all who misunderstood what I meant when I described "hype" with respect to "Beast." It was never meant to be applied to another product, but rather the description of it which made the rounds in numerous places around the net, including a review of antitrojans where it was made out to be armageddon itself. All of the various descriptions were read far and wide, and generated tremendous interest in the 2.05 release.

    If I had *intended* to slam a competitor, those who know me also know I would have just named names if that was my intent - like many "geeks," I do lack social skills. And I got properly whipped by management here for my apparent indiscretion. But the FACT remains that "Beast" was hyped ... in many places by MANY people. What alarmed me in particular is that trojans on "zero day" usually see 30-200 downloads typically. And the site where some were keeping count was not the only location where it was available for download. To see over 3000 in two days though is radically different from most releases. To see 800 in a couple of hours was nothing short of spectacular and THAT was the basis of my comments.

    But once again, I apologize to anyone who actually believes that my intent was to slam a competitor, it was to slam the phenomenon itself. :(
     
  21. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Kevin,

    Speaking for myself--and for those of us who use your products to protect our computers from something other than our own over-inquisitive index finger--thanks for doing what you do as well as you do.

    I assure you, there are plenty of us out here who understood your intentions with what I consider a very considerate post here and elsewhere. You didn't have to do it, but you did--for everyone's potential benefit.

    A shame IMO that some grossly--and in some cases purposely IMO--misinterpreted your message. ;)
     
  22. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743

    How true ;) and if you change your given name or your place of employment it is a good idea to update.

    :)

    Why are so many people coughing in this thread ?

    :eek:

    Must be something going around.

    :p
     
  23. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi

    like with last release the beast 205 had bugz.. fixed release already posted... looks like you all know where.. LOL
     
  24. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Should our guest choose to "repost" his/her personal attack, I will lock this thread. The post being removed 2 times is enough.

    on a personal note - perhaps if it is that important that your "target" get your message, you should use email or perhaps an IM from your registered username o_O
     
Thread Status:
Not open for further replies.