[Dshield] The Beast

R Shady RShady at stny.rr.com
Fri Oct 17 10:56:38 GMT 2003

Has anyone heard of Beast, a trojan with different variables?
Symantec lists them here http://search.symantec.com/custom/us/query.html.
I came across it while reading about it in the Support Alert
newsletter ( http://www.techsupportalert.com/ ).
An excerpt from the newsletter follows:

"I have seen The Beast and my heart has been smitten with fear.

No, folks, I haven't gone all religious. I'm talking about this year's
hot trojan horse called "The Beast."

The Beast is one of the new generations of "process-injecting"
trojans. To avoid detection these trojans attach themselves to a
process that forms a key part of the Windows operating system itself.

In the case of The Beast, the processes chosen for infection are
winlogon.exe and explorer.exe. These have been selected because they
are always present on any XP/2000/NT-based PC.

This stealthing approach makes The Beast particularly hard to detect.
Certainly a normal process scanner won't reveal its presence and
almost all common anti-virus scanners will miss it as well.

Killing the trojan is also difficult as it resides within a process
essential for the operation of Windows.  Killing the process will also
kill Windows.

And if you think that the .dll checksum feature in your firewall will
help you,  think again. The particular version of The Beast I tested
came with a module that pulled down 32 of the most popular firewalls
and anti-virus scanners and many anti-trojan monitors as well.

Watching a PC being infected by this kind of trojan is a scary
experience. Terrifying, actually.

I ran The Beast on a test PC set up with the same extensive protection
that I use on all my normal working PCs.

I just sat by and watched Norton Anti-Virus 2003 disappear, closely
followed by my Sygate Personal Firewall Pro and the BoClean anti-
trojan monitor.  Not only were these defenses pulled down, they were
permanently destroyed so they could not be restarted.

Once The Beast has infected your PC the attacker essentially has
complete control. He/she can view, upload or erase any of your files
and log all your keystrokes including your all your passwords. Worse
still, you may not even know your PC is infected..........."

Also, while doing a Google search I noticed this website

Scary stuff indeed!!

More information about the list mailing list