Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Beast

Published: 2003-12-15
Last Updated: 2003-12-16 12:42:44 UTC
by donald smith (Version: 1)
0 comment(s)
A new version of "The Beast" a Remote Administration Tool (aka backdoor) is believed to be in use on the net.

According to the help document the author offers a "private" version of Beast 2.05. It is not released to public, but instead is compiled specifically for the person who pays the author 120 euro. It is different from public version and this private version should not be picked up by antivirus signature based software.

The default listen port is 6666 and the port for its outbound connections is 9999. The 'server' calls itself svchost.exe. It can be remotely controlled either in a listening mode or in a "reverse mode". In the reverse mode once installed it connects to a server. Many firewalls allow connections from the inside of the network outbound in such a network "The Beast" can by pass the firewall by opening the outbound connection to its server.
New functions: It can do dll injection of itself into Internet Explorer, Explorer or Notepad. This allows it to hide itself from a show process type

A good writeup on the new version can be viewed here
0 comment(s)
Diary Archives