I have seen The Beast and my heart has been smitten with fear.
No, folks, I haven’t gone all religious. I’m talking about this year’s hot trojan horse called "The Beast."
The Beast is one of the new generations of "process-injecting" trojans. To avoid detection these trojans attach themselves to a process that forms a key part of the Windows operating system itself.
In the case of The Beast, the processes chosen for infection are winlogon.exe and explorer.exe. These have been selected because they are always present on any XP/2000/NT-based PC.
This stealthing approach makes The Beast particularly hard to detect. Certainly a normal process scanner won’t reveal its presence and almost all common anti-virus scanners will miss it as well.
Killing the trojan is also difficult as it resides within a process essential for the operation of Windows. Killing the process will also kill Windows.
And if you think that the .dll checksum feature in your firewall will help you, think again. The particular version of The Beast I tested came with a module that pulled down 32 of the most popular firewalls and anti-virus scanners and many anti-trojan monitors as well.
Watching a PC being infected by this kind of trojan is a scary experience. Terrifying, actually.
I ran The Beast on a test PC set up with the same extensive protection that I use on all my normal working PCs.
I just sat by and watched Norton Anti-Virus 2003 disappear, closely followed by my Sygate Personal Firewall Pro and the BoClean anti-trojan monitor. Not only were these defenses pulled down, they were permanently destroyed so they could not be restarted.
Once The Beast has infected your PC the attacker essentially has complete control. He/she can view, upload or erase any of your files and log all your keystrokes including your all your passwords. Worse still, you may not even know your PC is infected.
So what do you do to protect yourself again these evil products?
Well, practicing "safe hex" is a start. You can get a free guide to what’s involved at http://www.claymania.com/safe-hex.html, and you’ll find lots more if you do a Google search under "safe hex."
But it’s almost impossible to practice 100% safe hex. In fact, doing so would, for many users, just about ruin the pleasure of using their PC. It would mean, for example, not downloading any programs, movies or other executables, as well as a total end to file sharing.
If you are not prepared to make this sacrifice, you should protect yourself using every weapon available. A regularly updated anti-virus program is mandatory as is a robust firewall. You should also seriously consider a specialist anti-trojan program with powerful file scanning capabilities so that you can detect trojans before they are executed.
Even here the news is not all good. There are a lot of anti-trojan programs available but frankly only two of them cut the mustard. These are TDS-3 and Trojan Hunter 3. Most of the others are useless against the latest generation of trojans.
I know this opinion will offend a lot of people who have their own favorite anti-trojan programs. I know too, it will offend many vendors. However I’m prepared to stand by what I think and have documented the reasons over at http://www.anti-trojan-software-reviews.com.
Trojans are becoming ever more sophisticated. Each new trojan generation becomes more difficult to detect and is armed with ever more aggressive weapons aimed at your defenses.
There will never be 100% protection. I wish I could tell you otherwise, but this, unfortunately, is the harsh truth.
Gizmo Richards.
Free certification help