1. Introduction The Beast 2.07 has been released on August 03, 2004.

Beast is a powerful Remote Administration Tool (AKA trojan) built with Delphi. One of the distinct features of the Beast is that is an all-in-one trojan (client, server, server editor, plugins are stored in the same application). Besides, a binder is implemented in the Beast main application. Beast 2.07 is a complete trojan, being available 2 types of connection: reverse and direct. The default settings are with direct connection. The older Beasts (2.02 etc.) were using direct connection, i.e. the server opens a port and waits for connections from the client. The reverse connection (feature available since 2.05 version) means that the client is waiting for connections, using S.I.N. (Static IP Notification), from the on-line servers. That method has many advantages, the main being that Beast can be used with servers behind routers or in LANs.The server can be extracted from the Beast and its size is only 30 KB (compressed) if aren't used the injecting technologies. If you choose a server which will be injected in Explorer.exe, Internet Explorer or another application, its size will be 49 KB (compressed), even so being small enough. Considering the multitude of tasks which can be performed by the server, the size is excellent. Beast 2.07 has a built-in plugin system, being available 4 plugins for the most size consuming tasks like the Screen Manager and Passwords (Protected Storage, ICQ/Trillian, DialUp). As you might know from the previous versions, an important feature of the server is that is using the injecting technology. At the first run the server is injecting in the memory of Explorer.exe (on 9x systems in systray.exe). Afterwards, from Explorer.exe are performing injections in the other hosts (in the case the server isn't built for Explorer.exe injection), according with the options you chose when building the server. The main benefits of this type of running is that from Explorer.exe are monitoring the other injected applications and, by example, if the Internet Explorer is closed, from Explorer.exe will be started again and injected with the dll. If the server is injected in Explorer.exe it won't be visible on any Task Manager, so that could be a good option. When the server is injected in Internet Explorer, the server will be visible in Task Manager, but in this way the firewalls could be more easily by-passed. And is not a big deal if it is visible in TaskMgr because in the case when the IE process is closed will be automatically run again ;) The server stability is almost 100%, the server can't be crashed by closing the client during a file transfer or other operations). Usually the server (dll) is residing in the windows/system directory. With Beast 2.07 for the server aren't needed the administrator privileges on NT (2k, XP), the server can run on a restricted user (guest etc.) account, in this case being located under <Documents and Settings> directory. Beast is pretty hard to remove especially when using injection. In this case, a certain way to get rid of Beast is booting in Safe Mode. I implemented in Beast an extra persistence feature, so whenever the injected (host) process is closed, from the Explorer.exe (Systray.exe on Windows 98) the server will be injected again. All the servers (loaders) are locked from Explorer.exe, so cannot be deleted. The registry settings are also overwritten at every few seconds... 2. Frequently Asked Questions What's that? Well, is a remote administration tool and some people say it's a trojan ;) With Beast you can control remote computers and also spy them... Is it legal? Sure it is, if is used on your private network and you don't make any harm to other people! How to start? First you have to build a server (see Chapter 3 Server Settings), then you have to manage to run the server on a remote machine and afterwards you'll be able to control that machine.

How can I find the IP and password for connection? When you build the server you have to configure at least one notification method (ICQ, E-Mail, CGI for direct connection, SIN for reverse connection), so whenever the remote machine (where the beast server runs) is online you receive the required info for connection. In the case you use the reverse connection you have to configure the SIN, so the servers will connect to you. Why I cannot connect? Well, could be few reasons: the connection could be blocked by a firewall, the remote computer is in a LAN or behind a proxy and you configured the server with direct connection, the remote computer is offline etc. Oh, I infected myself, what can I do? The easiest way to uninstall the server is to connect to yourself (at address 127.0.0.1) and click the Kill Server button, but I show you also how to remove the server manually. You have to follow these steps for Windoze XP (NT): 1. boot in Safe Mode 2. go to <WinDir>\msagent directory (usually C:\windows\msagent) and delete a file ms****.com (**** are random characters), which has ~30 KB or ~49 KB (according to the settings used). 3. go to <SysDir> (usually C:\windows\system32) and delete a file ms****.com, with a different name from previous, which has the same size as the previous file. 4. go to <WinDir> or <SysDir> (where you chose the dll to reside) and delete the dxdgns.dll file (or how you renamed it). For Windoze 9x you have to change the <msagent> with <command> directory. Can you send me the source code? I'm a student and I don't have money, all I want is to learn how to code. LOL, no. 3. Server Settings First of all you have to build the server from the Beast executable. When you run the Beast, on the main window you'll notice a Build Server button. Just click that button and the server configuration window will appear. Let's discuss the settings one by one. Basic Settings On the Basic Settings group you can set the server name, port and password, the connection type, the directory where will reside and the injected application (IE, explorer.exe or custom application), in case you want to choose an injected server. The default settings mean that the server will be a normal application (isn't using injection) with reverse connection, will run in the windows directory under the name svchost.exe and will use the port 9999 for connections. In that case (i.e. reverse connection) the server won't listen on any port and isn't needed a password for connection. For the reverse connection is needed the SIN configuration, that being explained on the next paragraph. The default settings could be changed with your own. When you set the server name it is strongly recommended to not choose a name which is in use (i.e. svchost.exe, services.exe, lsass.exe etc.) or could be a critical system process (logonui.exe etc.) and set the <system> location for the trojan. By example, if the server name is svchost.exe, then its location must be in <windows>, because in <system> is running a service named svchost.exe. If you chose the injection method you have few options: inject in explorer.exe (in this way being completely invisible on all Task Managers), Internet Explorer (in the case are wanted more chances on by-passing firewalls) or another application of your choice. In the second case, whether IE is running or not at first infection with Beast, the server will start a hidden IE process for injecting into.

Notifications On this group you can set the mode in which you prefer to be announced by the server when it's on-line. If you previously set the reverse connection, then must be used the SIN (Static IP Notification). The default SIN timeout is 15 seconds and it could be changed (if you have tens/hundreds of servers could be good to increase the timeout to 60 seconds, so won't occur too many connections in the same time). In the case you have the same IP assigned everytime you are on-line the things are simpler: all you have to do is to set that IP in the server settings and whenever the remote machine will be on-line the server will try to connect to the listening Beast client. In the case you have a dynamic IP, then you have to go to http://www.no-ip.com or http://www.mine.nu and create (for free) a never-changing address like YourName@no-ip.com. After creating your no-ip address, you have to run on your machine the client provided by them. The no-ip client connects to the no-ip database every 10 minutes with your real ip address, so whenever someone connects to your domain will be redirected to your IP address. Well, isn't really hard to create a no-ip account and now you have to write the domain name on the IP (DNS) Address field. Finally, please note: if you're behind a router you have to forward 9 ports, from 9999 (SIN port) to 10008 (SIN port + 9). That's all about reverse connection and I strongly suggest you to use that method for all types of computers (in LAN or not, behind proxy or not, with dialup etc.). In the case of direct connection, you have 3 notification options: ICQ, Email, CGI. When you receive the victim IP you'll also receive the server listening port and the password for connection (optional). The ICQ Notification is down from time to time so don't forget to test the notification before configuring it, to see if it's working. The E-Mail notification is working good, but doesn't function for Hotmail accounts. The E-Mail could be tested when building the server and the message could be customized. When configuring the email notification, in the SMTP Addresses field must be written the appropriate information for your email address and for that you can use the Get SMTP button. For the CGI notification I used the Net-Devil scripts. First you need to open a website with CGI support (a free one could be hosted by www.netfirms.com). In the CGI URL field must be written a path like http://YourName.netfirms.com/cgi-bin/log.cgi, the CGI Script Data field can be left as is and the CGI Password will be a password for accessing the log with Internet browsers (the address for log access is http://YourName.netfirms.com/cgi-bin/list.cgi and you will be prompted to enter the password). Now click the Create CGI Files button and the files with your settings will be created in a folder in your current directory. Now those files must be uploaded (use FlashFXP, WS_FTP etc.) to your cgi-bin directory. After upload the files attributes (permissions) must be changed (CHMOD): for log.cgi and list.cgi must be 755, for log.txt must be 600. Well, a little work to do for setting up the CGI notification, but is in your benefit ;) Ah, and don't forget to check the Enable option for the notification method you want. StartUp On the StartUp Settings group you can set the server startup mode. 3 options are available and it is recommended to check all of them. AV-FW Killing Kill AV-FW On Start option is unchecked by default. In the built-in visible list of the Beast are over 300 FW - AV executables and you can add specific applications (the kill list can have at most 500 entries). The killing (closing) can occur at every startup and also on a timer interval (between 5 9999 seconds).The server terminates (stops) also the NT services, not only the normal applications. The built-in XP firewall could also be stopped and disabled by checking the appropriate checkbox. Miscellaneous Melt Server On Install option is checked by default. When building the server (after the Save button is clicked), its name will be server.exe. This name could be changed in whatever you want and if you doubleclick the server you'll notice that it'll disappear (will be melted). What's happened is that the server has copied itself in the <Windows>/<System> directory with the name you gave him and is running silently. After building, the server could also be bound with another executable and for this you can use the included binder. If you uncheck the melting option the server is only

copying itself in the system (and also will run, of course). Another option is to set a fake error message. If this option is enabled the server will show a fake error when is executed for the first time. Of course, the trojan did his job... Usually, the melt feature must be used when the server is bound with another file and the fake error must be used when the server remain as is. Another option is to open the port for listening (with direct connection) only when the computer is on-line, the server being more stealth in this way. Enable KeyLogger option is checked by default, and the logfile name and size limit are customizable. All the pressed keys and opened windows are trapped and stored in an encrypted file (log). The keylogger is working all the time (off-line & online) and from the client you can get the log and see all the activity at the computer. You can also configure the server to send the keylogs attached by email and in that case you must set the correct email info and the log (attachment) size. If you need to find only specific info you must enable the "smart keylogger" option and set the particular windows where the keylogger will be active. For making the beast more persistent, you can set an option to clear the System Restore points on Windoze XP (at the first server run). In this case the Beast server cannot be removed by simply restoring the system to a previous clean state. Another option is for LAN computers only. The Beast supports LAN bypass (i.e. you can connect to a computer on a LAN if the server is built with reverse connection), but if you use the direct connection (in the case you cannot use the reverse connection) you can choose to not receive notifications from these servers. Also, the server could be configured with a "delay execution" option, so it can be activated at a specific date or after a number of reboots. Exe Icon The server icon can be changed. There are few built-in icons or you can select another icon from specific files (exe, ico, dll). You can choose any icon, you are not restricted to a certain icon size or color depth, but the new icon will have 32x32 pixels and 16 colors. Settings All the server settings can be saved/loaded in/from a specific file (.bst). When you want to build a new server just doubleclick that file and all your settings will be loaded in the Server Editor. Binder Beast 2.07 has also a binder included :) The binder is simple but effective, could be bound any files you like (if the bound files aren't executables, they will be opened with the default application). The stub is pretty small (~ 5 KB).preferences. 4. Client In the Beast main window, in the case of using servers with reverse connection you have to click the Start Listening [SIN] button and wait until servers are appearing in the left side panel. The default listening port is 9999. When a server is on-line, just doubleclick its icon and you'll be connected. In the other case, when using direct connection, you have to fill the Host, Port and Password fields and then click the Go BEAST! button. The default values are 127.0.0.1 (Host) and 6666 (Port). If the server is running on your own computer, then 127.0.0.1 is the address you need for connection. If you want to connect to a remote computer, then you have to put its IP in the Host field. The Host, Port and Password are received by ICQ, Email or CGI. The Port and Password are those you set when you built the server (see Chapter 2. Server Settings). Now I assume that the connection with the server has been established and let see what can be done. Also, above the Go BEAST! button is another one with an arrow: you can create an Address Book with your servers details. On the main window, on the Managers group you'll see Files, Registry, Screen, WebCam, Apps, Processes, Services, Clipboard and Passwords. Let's take these managers one by one. Files

By clicking the Files button, the File Manager window will show up. You can do different things with the remote files and the buttons captions from this group are almost self-explanatory. First you have to click Find Drives and shortly after this you'll notice that the contents of the first fixed drive (usually C:) is listed in the left side of the main window. Now you can browse (doubleclick a folder or click Show Files button), delete files and directories, execute files, search files, upload files, download (files and folders are copied in the client current folder) etc. On the File Manager group is also an Erase All button. This command will delete all the files from the remote computer. The deleting process will start with the last drive ;-) If a file is in use will be no problem, it'll be bypassed. All the file operations can also be performed by rightclicking on the file name. Registry Manager The registry browsing can be done by doubleclicking the subkeys from the left pane. If you want to edit a value just click on it and its string could be edited in the lower box. After you click the Set Data button the new string will appear. To delete subkeys and values you have to click the Del SubKey and Del Value buttons. On 9x systems you can delete a key and all its subkeys in a blink, but on NT the key must not have subkeys for successful deleting. For adding values you have to click the Add Value button, a new window will appear and you have to write the desired string value. Screen Manager With the Screen Manager you can see the remote desktop almost in real time. Here you can set the bit depth (quality) of the captured images, 8 being lowest (faster download!) and 32 highest. The default bit depth is 24, but for faster transfers could be set to 8, the image clarity being good enough. You can choose the interval at which the screen shots are taken, the default being 1 second. It is also possible to save the received images (BMP or JPG) in a folder of your choice (you can browse for it) and for this you have to check the Save Images To option. The Stretch Image option is set by default, but sometimes could be good to change it for a better image clarity. Finally, by checking the Enable Clicks option you'll be able to click on the remote desktop by clicking on the screenshot. WebCam Manager With the WebCam Manager you can activate the remote WebCam and watch the remote user almost in real time. The options are similar with those at the Screen Manager, but without remote clicks, bit depth changing and image stretching. Apps (Processes) Manager By clicking the Apps button anew window will appear. In the App Manager are listed all the visible windows on the remote computer and you can kill (close) any of them. The Process Manager is almost identical (are listed all the processes) and you can kill (stop) any NT service. Servicess Manager On the Services Manager you can view/start/stop/disable/enable/delete the services on the remote machine. Of course, that manager can be used only when the server is running on a NT (XP) system and the remote user is logged with administrator privileges. Clipboard Manager The Clipboard Manager will show up by clicking the Clipboard button from the main window. You can view, set or clear the text stored in the clipboard. Also, the clipboard could be locked/unlocked. Passwords The Passwords button will show you a new window where you can view the contents of the Protected Storage (E-Mail and HTTP), the DialUp and the ICQ/Trillian passwords. Well, these were all the managers. Now let see other things.

Windows On the main client window is also a Windows option button. By clicking it a new buttons group appears in the place of the Managers. The Power Off, Shut Down, Reboot and Log Off buttons are acting as you expect. The Hide All button will hide all the visible windows, even tray and desktop, and the Crash will terminate all the running processes, so the system will crash. Lamer Stuff The buttons captions are self-explanatory: Open/Close CD, Hide/Show Start button, Hide/Show Tray etc. Fun Stuff The buttons captions are self explanatory (the 'Go To URL' feature is making the remote browser to visit a specific URL, the Wallpaper feature is changing the remote user's wallpaper, the Chat feature will establish a dialog with the remote user.), a single mention needs to be done: the Lock CDs button will mantain all the remote CD units locked even after reboot. Server On this group you are able to get the remote PC Info (user name, computer name, OS, system directory, windows directory, processor type and speed, screen resolution) and also to Kill, Close and Update the running server. Misc The KeyLogger button will show up a new window, where you can see the logfile size. You'll be able to bring to your machine the logfile (Get Log button) where is recorded the remote activity (all the keys and opened windows are trapped and stored in the log), to delete the log and to decrypt the log. The last feature is available only for situations when the decrypting didn't occur right after log download. With the Live Keys you can see all the key pressed and opened windows on the remote computer in the real time. While using the Live Keys the keys are still stored in the log. The Messages button will bring on top another window. From this window you can send messages to theremote computer. You can choose the message box icons (5 options) and buttons (6 options). Before sending, you can preview the message by clicking the Test Message button. The Run Apps button will bring on top another window, where you can run different applications and receive their output (app redirect). The remote applications can be run in hidden or visible mode and aren't required only apps wich produce an output, all the apps will run without any problem. The Scanner could be used for searching after both IPs and Ports. Could be retrieved all opened ports or only those opened by beast servers. The scanner is also useful if you want to see if you're infected with a beast server (built with direct connection). With the System Time feature you can view/adjust the remote computer date and time. Beast Stuff Here are available Options, Credits, Help and About buttons and I suggest you to check all of them. On the Options you can configure the GUI a little. On the main window, near Build Server, you'll see the Plugins and the Binder. The Binder can be used for hiding the Beast server into a legit :P application. The Plugins button must be used to upload to the remote machine the Screen Manager and Passwords plugins. Also, on the upper right corner is a $ button and you're welcome to click on it :)

Well, that's all about client. 5. Versions History Version 2.07 - released on August, 03 2004 - full skin support - keylog emailer - smart keylogger - live keylogger - editable SMTP addresses - better port handling (not all ports open) - Trillian passwords support - fun (restrictions, crazy mouse) - smaller binder stub (5KB) - more GUI options - the Screen and WebCam settings are kept - editable start-up keys - remote screen right click - queue downloads, column sorting, cancel downloads etc.(FileManager) - fixes (time functions, notifications, security hole, SIN errors etc.) Version 2.06 - released on February, 18 2004 - the servers are working with restricted users (guest etc.) on NT (XP) - NT Services Manager - chat :P - delay execution (at a specific date or after reboots) - system time management - ICQ2003b password support - configurable SIN timeout - support for DWORD values in the Registry Manager - better CGI & Email notifications - CGI & Email notifications are working with SIN - better DialUp password retrieval - more reliable transfers - etc. Version 2.05 - released on December, 09 2003 - server size: 28 KB compressed - server size when using injection: 46 KB compressed - LANBypass feature (reverse connection) - plugin system - speeded up the transfers (recoded from scratch) - DialUp passwords support - better multithreading - statistics window - many enhancements (Screen Manager, KeyLogger, FileManager etc.) - GUI enhancements Version 2.02 - released on September, 16 2003

- server size: 50 KB compressed - server size when using injection: 71 KB compressed - speeded up all the transfers with ~40% - multithreaded client/server (you can perform few tasks in the same time) - added a multibinder with a 6.x KB stub, coded in Delphi7 :P - added ICQ2003 password support - added app redirect feature (run apps and receive output) - added download directories feature - smart port listening (if the port is used find another one which is free) - XP firewall service stop and disable - skins - fixed the the security hole, cracking isn't possible anymore - fixed IP/Port Scanner (no more crashes) - fixed clipboard manager (no errors when the clipboard data is big) - fixed screen manager (the images can be saved in any directory) - and others fixes and enhancements, more subtle Version 2.01 - released on June, 25 2003 - 2 different servers: with or without injection (FWB) - server size: 119 k uncompressed, 51 k compressed with built-in UPX - injecting server size: 154 k uncompressed, 71 k compressed with built-in UPX - added built-in SMTP notification - added Scanner feature - added passwords support (reveals the E-Mail and HTTP passwordz) - more friendly with hosts when using injection (no more crashes of explorer.exe) - many enhancements (faster transfers etc.) - fixed the previous version connection bugs Version 2.00 - released on May, 15 2003 - server size: 150 KB uncompressed, 68 KB compressed with built-in UPX - stealth server (using injecting technology) - 2 options for injecting: explorer.exe and Internet Explorer - extra persistence (hard to get rid of, being injected in winlogon.exe and monitoring from there) - added WebCam feature - added Address Book - added Save/Load options for server features - added CGI notification - added Open Port When On-Line Only feature for server - and many other improvements Version 1.92 - released on February, 20 2003 - server size: 120 k uncompressed, 51 k compressed with built-in UPX - server packable/unpackable - the server is more configurable: - 3 start methods - fake error message on start - kill AV timer (between 15 - 9999 seconds) - kill custom apps (up to 20 exes) - kill custom apps timer (between 15 - 9999 seconds) - editable messages on notifications - fixed few bugs (AV-FW killing on 9x etc.) Version 1.91

- released on January, 19 2003 - server size: 56 k - added Screen Manager feature - added rightclick feature in File Manager - added tutorial (User's Guide) - improved the ICQ Notification - fixed bugs (E-Mail Notification, ActiveX startup, Set Attr in File Manager, Info in Misc Stuff etc.) Version 1.90 - released on December, 18 2002 - server size 32 k (this was the most important improvement, the server being rewritten almost completely and all the previous version features were kept) - more configuration options (added Start Settings, KeyLogger, HotKeys) Version 1.80 - released on November, 13 2002 - server size 194 k - added Process Manager - added configuration options - AV-FW killing - server icon changing - ICQ & Mail notifications - and others... Versions 1.0 - 1.72 - just few lame versions 6. Comments Any comments and suggestions are welcome, so feel free to mail me at: tataye@beastdoor.com If you had identified a bug, please send an email with a complete description of the problem. It would help me a lot if you include the following details: - the sequence of commands leading up to the bug - the server operating system (98, 2k, XP etc.) - the client operating system (98, 2k, XP etc.)