Beast Trojan (trojan horse)
Encyclopedia
Beast is a Windows
-based backdoor trojan horse
, more commonly known in the underground "script-kiddie"
community as a Remote Administration Tool
. It is capable of infecting version of Windows from 95
to XP
. Written in Delphi and released first by its author Tataye in 2002, it became quite popular due to its unique features. It used the typical client–server model where the client
would be under operation by the attacker and the server
is what would infect the victim. Beast was one of the first trojans to feature a reverse connection
to its victims, and once established it gave the attacker complete control over the infected computer. Using the reverse connection there was no need for the attacker to know the target IP address; instead, the server connected to a predefined DNS
, which was redirected to the attacker IP address. For its DLL
, it used the injection method—they were injected into a specified process, commonly "explorer.exe" (Windows Explorer
), "iexplore.exe" (Internet Explorer
), or "msnmsgr.exe" (MSN Messenger). Due to this the DLLs were automatically loaded into memory once these processes were executed.
It mainly targeted three infection sites:
(Note: Removing these three files in safe mode
with system restore turned off in case of XP
would thus disinfect the system)
The default ports used for the direct and reverse connections were 6666 and 9999 respectively, though the attacker had the option of changing these. Beast came with a built-in firewall
bypasser and had the ability of terminating some Anti-Virus or firewall processes. It also came with a binder
that could be used to join two or more files together and then change their icon.
The Server Editor offered these capabilities:
Once connected to the victim, Beast offered the following features:
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
-based backdoor trojan horse
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
, more commonly known in the underground "script-kiddie"
Script kiddie
A script kiddie or skiddie, occasionally skid, script bunny, script kitty, script-running juvenile or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites.-Characteristics:In a Carnegie...
community as a Remote Administration Tool
Remote administration tool
A Remote Administration Tool is a piece of software that allows a remote "operator" to control a system as if he has physical access to that system. While desktop sharing and remote administration have many legal uses, "RAT" software is usually associated with criminal or malicious activity...
. It is capable of infecting version of Windows from 95
Windows 95
Windows 95 is a consumer-oriented graphical user interface-based operating system. It was released on August 24, 1995 by Microsoft, and was a significant progression from the company's previous Windows products...
to XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
. Written in Delphi and released first by its author Tataye in 2002, it became quite popular due to its unique features. It used the typical client–server model where the client
Client (computing)
A client is an application or system that accesses a service made available by a server. The server is often on another computer system, in which case the client accesses the service by way of a network....
would be under operation by the attacker and the server
Server (computing)
In the context of client-server architecture, a server is a computer program running to serve the requests of other programs, the "clients". Thus, the "server" performs some computational task on behalf of "clients"...
is what would infect the victim. Beast was one of the first trojans to feature a reverse connection
Reverse connection
A reverse connection is usually used to bypass firewall restrictions on open ports. A firewall usually blocks open ports,but does not block outgoing traffic...
to its victims, and once established it gave the attacker complete control over the infected computer. Using the reverse connection there was no need for the attacker to know the target IP address; instead, the server connected to a predefined DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
, which was redirected to the attacker IP address. For its DLL
Dynamic-link library
Dynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
, it used the injection method—they were injected into a specified process, commonly "explorer.exe" (Windows Explorer
Windows Explorer
This article is about the Windows file system browser. For the similarly named web browser, see Internet ExplorerWindows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface...
), "iexplore.exe" (Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
), or "msnmsgr.exe" (MSN Messenger). Due to this the DLLs were automatically loaded into memory once these processes were executed.
It mainly targeted three infection sites:
- C:\Windows\msagent\ms****.com (Size ranging from 30KB to 49KB)
- C:\Windows\System32\ms****.com (Size ranging from 30KB to 49KB)
- C:\Windows\dxdgns.dll or C:\Windows\System32\dxdgns.dll (Location dependent on attacker's choice)
(Note: Removing these three files in safe mode
Safe Mode
Safe mode is a diagnostic mode of a computer operating system . It can also refer to a mode of operation by application software. Safe mode is intended to fix most, if not all problems within an operating system...
with system restore turned off in case of XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
would thus disinfect the system)
The default ports used for the direct and reverse connections were 6666 and 9999 respectively, though the attacker had the option of changing these. Beast came with a built-in firewall
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
bypasser and had the ability of terminating some Anti-Virus or firewall processes. It also came with a binder
File binder
File binders are applications that allow a user to "bind" executables together resulting in a single executable. They are useful for crackers to insert other applications such as trojan horse executables into otherwise harmless files, making them more difficult to detect....
that could be used to join two or more files together and then change their icon.
The Server Editor offered these capabilities:
- Direct or Reverse connection option
- DLLDynamic-link libraryDynamic-link library , or DLL, is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating systems...
injection location (e.g. explorer.exe) - Server name change option
- Server installation directory (e.g.
) - Various IPIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
and Server info notification options (e.g. emailEmailElectronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
, icqICQICQ is an instant messaging computer program, which was first developed and popularized by the Israeli company Mirabilis, then bought by America Online, and since April 2010 owned by Mail.ru Group. The name ICQ is a homophone for the phrase "I seek you"...
, cgiCommon Gateway InterfaceThe Common Gateway Interface is a standard method for web servers software to delegate the generation of web pages to executable files...
, etc.) - Startup keys selection
- Anti-Virus and firewall killing
- Other miscellaneous options (e.g. automatic server file deletion, fake error messages, offline keyloggerKeystroke loggingKeystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
, icon changer, etc.)
Once connected to the victim, Beast offered the following features:
- File Manager – along with browsing victim's directories it could upload, download, delete, or execute any file
- Remote RegistryWindows registryThe Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
Editor - ScreenshotScreenshotA screenshot , screen capture , screen dump, screengrab , or print screen is an image taken by a computer to record the visible items displayed on the monitor, television, or another visual output device...
and WebcamWebcamA webcam is a video camera that feeds its images in real time to a computer or computer network, often via USB, ethernet, or Wi-Fi.Their most popular use is the establishment of video links, permitting computers to act as videophones or videoconference stations. This common use as a video camera...
capture utility - Services, Applications, and Processes Managers, providing the ability of terminating or executing any of these
- ClipboardClipboard (software)The clipboard is a software facility that can be used for short-term data storage and/or data transfer between documents or applications, via copy and paste operations...
tool that could get currently stored strings - Passwords tool capable of recovering any stored passwords in the victim's computer
- Power Options (e.g. shutdown, reboot, logoff, crash, etc.)
- Some tools mainly for creating nuisance (e.g. mouse locking, taskbar hiding, CD-ROM operator and locker, URL opener, wallpaper changer, etc.)
- Chat client providing communication between the attacker and the victim
- Other tools such as a Remote IP scanner, live keyloggerKeystroke loggingKeystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
, offline logs downloader, etc. - Server Controls (e.g. server deleter, updater, terminator, info provider, etc.)
See also
- Reverse connectionReverse connectionA reverse connection is usually used to bypass firewall restrictions on open ports. A firewall usually blocks open ports,but does not block outgoing traffic...