"The Beast"

"ARE WE PROTECTED??

Support Alert
Supporter's Edition
========================
www.techsupportalert.com

"Your pointer to the very best
Tech information on the Web"

Issue 102 - 16th October, 2003

EDITORIAL

I have seen The Beast and my heart has been smitten with fear.

No, folks, I haven't gone all religious. I'm talking about this year's
hot
trojan horse called "The Beast."

The Beast is one of the new generations of "process-injecting" trojans.
To
avoid detection these trojans attach themselves to a process that forms
a
key part of the Windows operating system itself.

In the case of The Beast, the processes chosen for infection are
winlogon.exe and explorer.exe. These have been selected because they
are
always present on any XP/2000/NT-based PC.

This stealthing approach makes The Beast particularly hard to detect.
Certainly a normal process scanner won't reveal its presence and almost
all
common anti-virus scanners will miss it as well.

Killing the trojan is also difficult as it resides within a process
essential for the operation of Windows. Killing the process will also
kill
Windows.

And if you think that the .dll checksum feature in your firewall will
help
you, think again. The particular version of The Beast I tested came
with a
module that pulled down 32 of the most popular firewalls and anti-virus
scanners and many anti-trojan monitors as well.

Watching a PC being infected by this kind of trojan is a scary
experience.
Terrifying, actually.

I ran The Beast on a test PC set up with the same extensive protection
that
I use on all my normal working PCs.

I just sat by and watched Norton Anti-Virus 2003 disappear, closely
followed by my Sygate Personal Firewall Pro and the BoClean anti-trojan
monitor. Not only were these defenses pulled down, they were
permanently
destroyed so they could not be restarted.

Once The Beast has infected your PC the attacker essentially has
complete
control. He/she can view, upload or erase any of your files and log all
your keystrokes including your all your passwords. Worse still, you may
not
even know your PC is infected.

So what do you do to protect yourself again these evil products?

Well, practicing "safe hex" is a start. You can get a free guide to
what's
involved at http://www.claymania.com/safe-hex.html, and you'll find
lots
more if you do a Google search under "safe hex."

But it's almost impossible to practice 100% safe hex. In fact, doing so
would, for many users, just about ruin the pleasure of using their PC.
It
would mean, for example, not downloading any programs, movies or other
executables, as well as a total end to file sharing.

If you are not prepared to make this sacrifice, you should protect
yourself
using every weapon available. A regularly updated anti-virus program is
mandatory as is a robust firewall. You should also seriously consider
a
specialist anti-trojan program with powerful file scanning capabilities
so
that you can detect trojans before they are executed.

Even here the news is not all good. There are a lot of anti-trojan
programs
available but frankly only two of them cut the mustard. These are TDS-3
and
Trojan Hunter 3. Most of the others are useless against the latest
generation of trojans.

I know this opinion will offend a lot of people who have their own
favorite
anti-trojan programs. I know too, it will offend many vendors. However
I'm
prepared to stand by what I think and have documented the reasons over
at
http://www.anti-trojan-software-reviews.com.

Trojans are becoming ever more sophisticated. Each new trojan
generation
becomes more difficult to detect and is armed with ever more aggressive
weapons aimed at your defenses.

There will never be 100% protection. I wish I could tell you otherwise,
but
this, unfortunately, is the harsh truth.


Gizmo Richards. "

Now then - is this an over-reaction/over-statement or this thing or is it accurate?

Also, what's the delivery mechanism? (Got this in an email from my friend Zev0). Pete

 

Hi,

In the quote by Pete from that newsletter is stated with respect to BOClean:

---begin quote---
I just sat by and watched Norton Anti-Virus 2003 disappear, closely
followed by my Sygate Personal Firewall Pro and the BoClean anti-trojan
monitor. Not only were these defenses pulled down, they were
permanently
destroyed so they could not be restarted.
---end quote---

I'm wondering whether that about BOClean is right.

Let's have a look at two sites:

1.
Anti-trojan Software Reviews
The page about BOClean:
http://www.anti-trojan-software-reviews.com/review-boclean.htm
Quote from that site:
Version tested: 4.10, current version 4.11
---end quote---
So: the test was not done with the latest version of BOClean.
I wonder whether above mentioned statement about BOClean in that newsletter is also based upon the previous version of BOClean.

2.
The PSC-forum at Micky's board.
Thread:
http://www.mickeytheman.com/forums/index.php?showtopic=822&st=0&#entry3045
The topic is there too discussed.
Poster Leroi writes there:
---begin quote---
I have received assurances from Kevin that this trojan is covered and that the version that was tested was BOClean 4.10 and not 4.11 although 4.10 should have easily passed this test also. He also said that "The Beast" is rather a minor trojan compared to some other of the more recent varieties.
---end quote---

I hope that Kevin or Nancy will jump in on the topic.
I hope also that the writer of that newsletter will give some prove.

 

Hi Everybody

The current version of The Cleaner uses the approach of changing the
program names everytime the program is started.
The only other program I know of that does this is Anti-Keylogger.
Will a trojan such as this be able to shut down a program that contuinly changes it program name?
One thing that would help one step further is to change the file names dependent on the mother program also. (DLL's ect.)
Just curious is all here.

con

 

Yes, trojans can still easily terminate any process even if it uses a random filename. Trying to hide a process by giving it a random filename is just attempted security by obscurity (attempting to hide the problem rather than fixing it), and it just doesn't work - there are too many other ways to detect the process.

Whereas trojans try to detect anti-trojan scanners to terminate them, it's no different to an anti-trojan scanner detecting a trojan - the filename has nothing to do with detection. The only reason most trojans use filenames to terminate security processes is that most security programs have a 'static' name so it's just convenient for them, but if a trojan really wants to terminate a security program, it won't matter what its filename is. If anything, it simply adds inconvenience to the user as they have this constantly random process running on their system (so as such, they can't add any firewall rules, and so on), and if the system or that process ever crashes then you'll have a 'residue' of inactive, randomly named files on your system.

But, you make up your own mind.

 

For anyone that's interested, TrojanHunter Guard 3.7 is immune from these TerminateProcess attacks. And no, it doesn't rely on a random file name

 

Thank you for you input guys.
I am still curious as to if the Beast is clever enough to terminate or it just used the filenames in it's database.
Although I like both TDS-3 and Trojan Hunter, I still like looking at other software just to help if I can.

The Cleaner appears to remove main window titles also which we never really talked about.

Quoted fron the help file.

"TCMonitor
TCMonitor keeps track of Registry keys, Files and Folders and alerts to any changes. "

"Stealth Mode

--------------------------------------------------------------------------------
Stealth Mode uses randomized filenames and removes main window titles to evade so called "AV Killers". These are added on to Trojans and Worms to clear their path for infection by removing your defences. In this mode you will not see The Cleaner, TCActive! or TCMonitor in a normal task list although they will still appear in a process list.
Using the Stealth Mode tool TC Mode you can switch modes at any time. "

"TCMonitor
TCMonitor keeps track of Registry keys, Files and Folders and alerts to any changes."


con

 

Hey Wayne and Magnus,

Of course I didn't want to start any "conflict" or such a thing between you AT-vendors !
Please believe me.
I do have respect for all of you !
You all are very hardworking people with heart for your company.

I'm a registred owner of your AT-programs, and others.
To sum them all up:
BOClean, TDS-3, TrojanHunter, The Cleaner, PestPatrol, Tauscan.
And yes: I paid for them all.

My wish is (if I'm allowed):
May this thread (and others) be kind and informative !

Kind regards, Jan.

 

controler,
This week we'll be releasing a new program called Process Guard, which stops all known process termination/code modification techniques. For example, if a trojan ever gets to the stage where it's running on your system, it won't be able to terminate or tamper with any of your security programs. To our knowledge it's the first and only program of its kind.

Many people assume that there's only one way to terminate a process - the TerminateProcess function (in kernel32.dll), but actually there are many, and here are some of the ones that Process Guard protects against:
- Process Termination via TerminateProcess@kernel32.dll (the most common)
- Code modification (for example, to change the behaviour of a firewall so that it always allowed traffic out)
- Process termination via EIP modification (where attacking process suspends all threads in the target process and sets the value of the EIP register for each thread to the address of the ExitProcess function in kernel32.dll, before allowing the threads to resume, causing the process to terminate)
- Process termination via CreateRemoteThread (the attacking process creates a new thread in the target process which has a start address set to the address of the ExitProcess function in kernel32.dll, causing the process to terminate)
- Process termination via TerminateThread (The attacking process enumerates all threads in the target process and calls the TerminateThread function in kernel32.dll, causing the process to terminate when its last thread is terminated)
- DLL injection (The attacking process 'injects' a DLL into the memory space of another process and activates a thread, allowing the attack process to remain alive in the context of an existing process. This stealthy trick is starting to be used more frequently by remote access trojans)

Just by using Process Guard you can prevent The Beast trojan from being able to inject any code or DLLs into your system and security processes.