Beast Trojan (trojan horse)

From Wikipedia, the free encyclopedia

Beast Trojan
Developed by Tataye
Latest release 2.07 / August 3, 2004
OS Microsoft Windows
Genre remote administration, trojan horse
License freeware
Website No

Beast is a windows based backdoor trojan horse, more commonly known in the underground cracker community as a RAT (Remote Administration Tool). It is capable of infecting almost all Windows OS i.e. 95 through XP. Written in Delphi and Released first by its author Tataye in 2002, it became quite popular due to its unique features. It used the typical client/server mechanism where the client would be under operation by the attacker and the server is what would infect the victim. Beast was one of the first trojans to feature a 'reverse connection' to its victims and once established, it gave the attacker complete control over the infected computer. Using the 'reverse connection' there was no need for the attacker to know the target IP, instead the server itself connected to a predefined DNS, which was redirected to the attacker IP. For its DLL, it used the 'injection method' i.e. they were injected into a specified process, commonly 'explorer.exe' (Windows Explorer), 'iexplore.exe' (Internet Explorer) or 'msnmsgr.exe' (MSN Messenger). Due to this the DLLs were automatically loaded into the memory once these processes were executed.

Its targeted infection sites were mainly three:

  • C:\Windows\msagent\ms****.com (Size ranging from 30KB to 49KB)
  • C:\Windows\System32\ms****.com (Size ranging from 30KB to 49KB)
  • C:\Windows\dxdgns.dll or C:\Windows\System32\dxdgns.dll (Location dependent on attacker's choice)

(Note: Removing these three files in safe mode with system restore turned off in case of XP would thus disinfect the system)

The default ports used for the direct and reverse connections were 6666 and 9999 respectively, though the attacker had the option of changing these. Beast came with a built-in Firewall bypasser and had the ability of terminating any Anti-Virus or Firewall processes. It also came with a binder that could be used to join two or more files together and then change their icon.

The Server Editor offered these capabilities:

  • Direct or Reverse connection option
  • DLL injection location (e.g explorer.exe)
  • Server name change option
  • Server installation directory (e.g <windir>)
  • Various IP and Server info notification options (e.g email, icq, cgi etc)
  • Startup keys selection
  • Anti-Virus and Firewall killing
  • Other miscellneous options (e.g automatic server file deletion, fake error messages, offline keylogger, icon changer etc)

Once connected to the victim, Beast offered the following features:

  • File Manager, that along with browsing victim's directories could upload, download, delete or execute any file at will
  • Remote Registry Editor
  • Screenshots and Webcam capture utility
  • Services, Applications and Processes Managers, providing the ability of terminating or executing any of these
  • Clipboard tool that could get currently stored strings, and a Passwords tool capable of recovering any stored passwords in the victim's computer
  • Power Options (e.g shutdown, reboot, logoff, crash etc)
  • Some tools mainly for creating nuisance (e.g mouse locking, taskbar hiding, CD-ROM operator and locker, URl opener, wallpaper changer etc)
  • Chat client providing communication between the attacker and the victim
  • Other tools such as a Remote IP scanner, live keylogger, offline logs downloader etc
  • Server Controls (e.g server deleter, updater, terminator, info provider etc)

Later Tataye decided to abandon the Series with its final version going out in August 2004. But rather than completely abandoning the software, Tataye turned to a more commercial option when in early 2005 he released the first version of Spytector, a legitimate keylogger. Spytector uptil now has won highest ratings from many leading Downloads Websites (e.g Softpedia, Top-Shareware). Although Beast has been officially discontinued, it is still available from some of the underground websites that promote hacking material.