"The Beast"

Discussion in 'malware problems & news' started by spy1, Oct 18, 2003.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    "ARE WE PROTECTED??

    Support Alert
    Supporter's Edition
    ========================
    www.techsupportalert.com

    "Your pointer to the very best
    Tech information on the Web"

    Issue 102 - 16th October, 2003

    EDITORIAL

    I have seen The Beast and my heart has been smitten with fear.

    No, folks, I haven't gone all religious. I'm talking about this year's
    hot
    trojan horse called "The Beast."

    The Beast is one of the new generations of "process-injecting" trojans.
    To
    avoid detection these trojans attach themselves to a process that forms
    a
    key part of the Windows operating system itself.

    In the case of The Beast, the processes chosen for infection are
    winlogon.exe and explorer.exe. These have been selected because they
    are
    always present on any XP/2000/NT-based PC.

    This stealthing approach makes The Beast particularly hard to detect.
    Certainly a normal process scanner won't reveal its presence and almost
    all
    common anti-virus scanners will miss it as well.

    Killing the trojan is also difficult as it resides within a process
    essential for the operation of Windows. Killing the process will also
    kill
    Windows.

    And if you think that the .dll checksum feature in your firewall will
    help
    you, think again. The particular version of The Beast I tested came
    with a
    module that pulled down 32 of the most popular firewalls and anti-virus
    scanners and many anti-trojan monitors as well.

    Watching a PC being infected by this kind of trojan is a scary
    experience.
    Terrifying, actually.

    I ran The Beast on a test PC set up with the same extensive protection
    that
    I use on all my normal working PCs.

    I just sat by and watched Norton Anti-Virus 2003 disappear, closely
    followed by my Sygate Personal Firewall Pro and the BoClean anti-trojan
    monitor. Not only were these defenses pulled down, they were
    permanently
    destroyed so they could not be restarted.

    Once The Beast has infected your PC the attacker essentially has
    complete
    control. He/she can view, upload or erase any of your files and log all
    your keystrokes including your all your passwords. Worse still, you may
    not
    even know your PC is infected.

    So what do you do to protect yourself again these evil products?

    Well, practicing "safe hex" is a start. You can get a free guide to
    what's
    involved at http://www.claymania.com/safe-hex.html, and you'll find
    lots
    more if you do a Google search under "safe hex."

    But it's almost impossible to practice 100% safe hex. In fact, doing so
    would, for many users, just about ruin the pleasure of using their PC.
    It
    would mean, for example, not downloading any programs, movies or other
    executables, as well as a total end to file sharing.

    If you are not prepared to make this sacrifice, you should protect
    yourself
    using every weapon available. A regularly updated anti-virus program is
    mandatory as is a robust firewall. You should also seriously consider
    a
    specialist anti-trojan program with powerful file scanning capabilities
    so
    that you can detect trojans before they are executed.

    Even here the news is not all good. There are a lot of anti-trojan
    programs
    available but frankly only two of them cut the mustard. These are TDS-3
    and
    Trojan Hunter 3. Most of the others are useless against the latest
    generation of trojans.

    I know this opinion will offend a lot of people who have their own
    favorite
    anti-trojan programs. I know too, it will offend many vendors. However
    I'm
    prepared to stand by what I think and have documented the reasons over
    at
    http://www.anti-trojan-software-reviews.com.

    Trojans are becoming ever more sophisticated. Each new trojan
    generation
    becomes more difficult to detect and is armed with ever more aggressive
    weapons aimed at your defenses.

    There will never be 100% protection. I wish I could tell you otherwise,
    but
    this, unfortunately, is the harsh truth.


    Gizmo Richards. "

    Now then - is this an over-reaction/over-statement or this thing or is it accurate?

    Also, what's the delivery mechanism? (Got this in an email from my friend Zev0). Pete
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Pete,

    Depends on your view - it's a darned nastie alright, but then again this one has been around (several variants) for quite a while know, and are covered my at least the better ATs (have a look at the primary list from TDS3 ;) )

    various ways, as is the case by many sortalike nasties. Google no doubt will provide you with quite some info on this.

    regards.

    paul
     
  3. FanJ

    FanJ Guest

    Hi,

    In the quote by Pete from that newsletter is stated with respect to BOClean:

    ---begin quote---
    I just sat by and watched Norton Anti-Virus 2003 disappear, closely
    followed by my Sygate Personal Firewall Pro and the BoClean anti-trojan
    monitor. Not only were these defenses pulled down, they were
    permanently
    destroyed so they could not be restarted.
    ---end quote---

    I'm wondering whether that about BOClean is right.

    Let's have a look at two sites:

    1.
    Anti-trojan Software Reviews
    The page about BOClean:
    http://www.anti-trojan-software-reviews.com/review-boclean.htm
    Quote from that site:
    Version tested: 4.10, current version 4.11
    ---end quote---
    So: the test was not done with the latest version of BOClean.
    I wonder whether above mentioned statement about BOClean in that newsletter is also based upon the previous version of BOClean.

    2.
    The PSC-forum at Micky's board.
    Thread:
    http://www.mickeytheman.com/forums/index.php?showtopic=822&st=0&#entry3045
    The topic is there too discussed.
    Poster Leroi writes there:
    ---begin quote---
    I have received assurances from Kevin that this trojan is covered and that the version that was tested was BOClean 4.10 and not 4.11 although 4.10 should have easily passed this test also. He also said that "The Beast" is rather a minor trojan compared to some other of the more recent varieties.
    ---end quote---

    I hope that Kevin or Nancy will jump in on the topic.
    I hope also that the writer of that newsletter will give some prove.
     
  4. controler

    controler Guest

    Hi Everybody :)

    The current version of The Cleaner uses the approach of changing the
    program names everytime the program is started.
    The only other program I know of that does this is Anti-Keylogger.
    Will a trojan such as this be able to shut down a program that contuinly changes it program name?
    One thing that would help one step further is to change the file names dependent on the mother program also. (DLL's ect.)
    Just curious is all here.

    con
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yes, trojans can still easily terminate any process even if it uses a random filename. Trying to hide a process by giving it a random filename is just attempted security by obscurity (attempting to hide the problem rather than fixing it), and it just doesn't work - there are too many other ways to detect the process.

    Whereas trojans try to detect anti-trojan scanners to terminate them, it's no different to an anti-trojan scanner detecting a trojan - the filename has nothing to do with detection. The only reason most trojans use filenames to terminate security processes is that most security programs have a 'static' name so it's just convenient for them, but if a trojan really wants to terminate a security program, it won't matter what its filename is. If anything, it simply adds inconvenience to the user as they have this constantly random process running on their system (so as such, they can't add any firewall rules, and so on), and if the system or that process ever crashes then you'll have a 'residue' of inactive, randomly named files on your system.

    But, you make up your own mind. :)
     
  6. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    For anyone that's interested, TrojanHunter Guard 3.7 is immune from these TerminateProcess attacks. And no, it doesn't rely on a random file name ;)
     
  7. controler

    controler Guest

    Thank you for you input guys.
    I am still curious as to if the Beast is clever enough to terminate or it just used the filenames in it's database.
    Although I like both TDS-3 and Trojan Hunter, I still like looking at other software just to help if I can.

    The Cleaner appears to remove main window titles also which we never really talked about.

    Quoted fron the help file.

    "TCMonitor
    TCMonitor keeps track of Registry keys, Files and Folders and alerts to any changes. "

    "Stealth Mode

    --------------------------------------------------------------------------------
    Stealth Mode uses randomized filenames and removes main window titles to evade so called "AV Killers". These are added on to Trojans and Worms to clear their path for infection by removing your defences. In this mode you will not see The Cleaner, TCActive! or TCMonitor in a normal task list although they will still appear in a process list.
    Using the Stealth Mode tool TC Mode you can switch modes at any time. "

    "TCMonitor
    TCMonitor keeps track of Registry keys, Files and Folders and alerts to any changes."


    con
     
  8. FanJ

    FanJ Guest

    Hey Wayne and Magnus,

    Of course I didn't want to start any "conflict" or such a thing between you AT-vendors !
    Please believe me.
    I do have respect for all of you !
    You all are very hardworking people with heart for your company.

    I'm a registred owner of your AT-programs, and others.
    To sum them all up:
    BOClean, TDS-3, TrojanHunter, The Cleaner, PestPatrol, Tauscan.
    And yes: I paid for them all.

    My wish is (if I'm allowed):
    May this thread (and others) be kind and informative !

    Kind regards, Jan.
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    controler,
    This week we'll be releasing a new program called Process Guard, which stops all known process termination/code modification techniques. For example, if a trojan ever gets to the stage where it's running on your system, it won't be able to terminate or tamper with any of your security programs. To our knowledge it's the first and only program of its kind.

    Many people assume that there's only one way to terminate a process - the TerminateProcess function (in kernel32.dll), but actually there are many, and here are some of the ones that Process Guard protects against:
    - Process Termination via TerminateProcess@kernel32.dll (the most common)
    - Code modification (for example, to change the behaviour of a firewall so that it always allowed traffic out)
    - Process termination via EIP modification (where attacking process suspends all threads in the target process and sets the value of the EIP register for each thread to the address of the ExitProcess function in kernel32.dll, before allowing the threads to resume, causing the process to terminate)
    - Process termination via CreateRemoteThread (the attacking process creates a new thread in the target process which has a start address set to the address of the ExitProcess function in kernel32.dll, causing the process to terminate)
    - Process termination via TerminateThread (The attacking process enumerates all threads in the target process and calls the TerminateThread function in kernel32.dll, causing the process to terminate when its last thread is terminated)
    - DLL injection (The attacking process 'injects' a DLL into the memory space of another process and activates a thread, allowing the attack process to remain alive in the context of an existing process. This stealthy trick is starting to be used more frequently by remote access trojans)

    Just by using Process Guard you can prevent The Beast trojan from being able to inject any code or DLLs into your system and security processes.
     
Thread Status:
Not open for further replies.