Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: The Beast - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Beast
A new version of "The Beast" a Remote Administration Tool (aka backdoor) is believed to be in use on the net.

According to the help document the author offers a "private" version of Beast 2.05. It is not released to public, but instead is compiled specifically for the person who pays the author 120 euro. It is different from public version and this private version should not be picked up by antivirus signature based software.

The default listen port is 6666 and the port for its outbound connections is 9999. The 'server' calls itself svchost.exe. It can be remotely controlled either in a listening mode or in a "reverse mode". In the reverse mode once installed it connects to a server. Many firewalls allow connections from the inside of the network outbound in such a network "The Beast" can by pass the firewall by opening the outbound connection to its server.
New functions: It can do dll injection of itself into Internet Explorer, Explorer or Notepad. This allows it to hide itself from a show process type
application.

A good writeup on the new version can be viewed here
http://www.nsclean.com/psc-bst.html
donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!