Backdoor Trojan: The Names

[Guest Reimar]

Dear all!

Today on January 16. 2007 at 10.00 am I should have a meeting with the ISP on which software CD I found a Backdoor Trojan named: Win32:Beastdoor-BE attached to an setupfile for to install a so named HighSpeed Navigator. The ISP is the TRUE Corporation PCL from Thailand which is also, according to thems own usage, the developer of the mentioned software.

The meeting wasn't held because nobody was coming and even not any call or SMS! I think this tells enough about the (what kind of??!) behavior of this people!

Since December 25. 2006, the day I informed TRUE Corp about the Trojan, nothing is done (officialy) and the promisses given to me wasn't full filled in any way! As of today: NO ONE was coming to the meeting at 10.00 am in the Cafe at the TRUE Tower in Bangkok! For me I think I've done enough and now the public should have the next word('s)!

For those of you who want to kinow who I am, here the details: My Name is Reimar Engellage, PhD in Computer Science, Director of PCV-INFO Service Co., Ltd. in Samut Prakarn (Thailand), e-mail: pisthai(AT)gmx.net

Here's the report, I wrote yesterday evening, as I promissed and what I beside of other people think about it:

On December 21.2006 a costumer called me to ask why the Internet connection is so terrible slow but the connection icon is ligthened at all times. I went to him and checked hims computer and find out that hims computer was sending data out the whole time.

Installing the newest version of Avast Anti Virus Home edition and found in the first scan nothing because avast restarts after installtion and check the computer without of updating the datafile. After restarting and updating the datafile avast find: Win32Beastdoor-BE(Trj) Backdoor Trojan.

This Trojan was located at the HighSpeed Navigator from TRUE and I asked my customer where he got the software from. He gave me the original CD of TRUE for the Billion ADSL Modem Router. By checking this CD Avast found nothing! But after start to install the software new, Avast found the Trojan located in an file named: Run.exe. I took the CD to my office for further investigation.

After I extracted the file Billion_setup.exe I found the run.exe in this file with the Trojan attached.

The above mentioned Trojan was found beginning of December 2006 the first time. Until right now it's AVAST only which find this Trojan.

May be it isn't dangerous? But if is dangerous, what happens than? As I wrote in one of my posts, what a laywer was talking about:

""Software which is deveolped to find suspicious actions from other software, like AV, AD,SPY and so on programs, is special programmed to lokking for the sentences which forces to start special action like to take over controls (TROJANS), change file structures (VIRUS), send Data to unknown locations (SPY's), delete files pp and other action which are not "nomal"! If the software find something it will warn the user (if possible) and/or stopp the working process of that program or do others. But the checking software will look for that kind of actions which was already detected and classifies as DANGER (from the LOW to HIGH level) in the past because otherwise the want ad that stentencers to thems blocking list's.

Now, if a software developer produce software with sentences like the above mentioned, what for this software is really programmed? And, the writer of that programm must have a very good knowledge of the structure and how to program this dangerous software! In case the software developer is an ISP, which have to be on an very high security level and work mainly with costumer related data (many of them very confidential), this ISP need to control the program deveolping section on an much more higher level as any other software developer. For to get acces to "forein" data the most easy way is to do from an "Insider" within an ISP company!""

That really should let us think about! With my company we manage to run complete computer systems by our costumer as "outsourcing" contractors and we're responsible for the safty and secure of the complete company data. In case that we find a Trojan like the here mentioned one, what we should do? May not ignore the beast but carry on working as normal? Wait for an wonder? Or stop working? Ok, we've Backup Server and they will take over the work but what's about the "loss" of data? No, we'll use our backup server but starts immediatly a research to find out the real nature and danger of that beast and have a much more than close eye on all systems! And we'll inform all concerned parties and call for an general meeting to start to find a way how to solve the problem.

But what to do if just a single person is "infected" with this Trojan? And may another company, not a costumer until now, ask for help? Just ignore that? Or go a different way? And if a complete community is possible to get "infected"? What to do?

TRUE talks from about 200,000, right two hundred thousand, packages which they have sold out! Should I keep quiet? Should I directly publish the facts? Or should I inform all concerned parties and give the most involved one the change to defent themself?

By an big company like TRUE you can not talk directly from Crime or so. To talk from Crime by an single person which running around with an wireless network detector to get free access to an network for which this person haven't paid for, this is fundamental. But we not talking here from a single person, we talking from an company with more than 2.6 Mio subscribers for internet connection!

That is different. And as an single person to run against a company like TRUE, is not an easy touch. With my post here I was try to be fair to everybody and for sure, not everybody agree with me. That's normal human nature! But I ask all of you to take a moment and think about you're on my place: What you want to do with my knowledge? What you want to do to keep yourself on an safe place? Normally you don't need to defent yourself but you'll come to the point that you have to defent yourself and to defent the way you're going because a lot of your neibourghs want to push you on an way which is dangerous for you but safe for them because that isn't their "game" and they're on the safe side! Because you're going that way and not they are!!

On December 25. 2006 I informed TRUE about the contents of thems CD! The meeting was held with Khun Chompunut, Head of the Calling Center, Dr. Viriya and an Programmer of the TRUE Development Section. By the way, no one of this person was given a business card to me!!

When I first informed them about the Trojan and where this Trojan is located the first reaction was to tell me that this file named run.exe is need to get the HighSpeed Navigator to run and that there is not any Trojan attached. My reaction was to tell them that I don't want to waste my time and under this circumstances want to go directly to the "News" and publish the facts.

After I told this to them they starts to step back and finally I had show them on thems own computer the existence of this Trojan. Then they try to get the original CD from me but without any luck! Checked another CD from an virgin package, we found the Trojan there as well. Even on the Laptop of K. Chompunut that trojan was running!

They told me that they want to contact Avast for further info and send e-mail to them. I told them that TRUE needs to inform the customers about the situation and that they need to provide at least an "upgrade" for thems software. Ok, we'll do this and inform you (me) immediatly about any news, was thems reaction. At this stage I told them that I'll go public if I don't get a response from them!

On January 3. 2007 I've a meeting with an member of the Managment of TRUE. I'll not publish hims name because hims resort is a different one and he do not have any power for cases like this one. As I see him as a business partner who never broke a word to me, I talked with him about this case and told him my intention and meaning! I also told that in some countries hims company will faces a lot of charges for componsation and that companies which getting information like this one offers a lot benefit to that people where they get the info from.

He was talking to K. Chompunut after this and the next day she contated me by phone to tell me that she've send the copies of 2 e-mail send to Avast to me already and that she will inform me for further news. Dhe also told me that the programming section has released a "new" edition of the infected software and that she want that software to me and I told her that's ok and that I will check and test what they have released! But than she changed her mind and told me that they don't need to send me this edition!

Why now this? Still something to hide? Or a new edition of that Trojan?

Nothing more happens and on Thursday January 11.2007 I send 2 SMS messages to her to tell her that I want to publish now the facts on Saturday January 13.2007 Before I was getting a SMS from her to inform me that nothing news and after I try to call to her but she didn't pick up the phone and even not called back to me.

On January 12. 2007 I get some calls from a guy by TRUE, I haven't understand hims name, to get more info from me which was giving to him. He promissed me that he want to send me the answer from Avast to me immediatly after that call and also give me other infos I want from him. I also told him that before hims call someone from the call center was calling to me and want to tell me something from some 3 month package but I told to that lady to send me that info by e-mail and that e-mail even should come directly after that call. Nothing of this happens until today.

On Saturday morning I called to that last Guy, I've the mob. no. in my mobile, and told him that I do not receive anything and he told me to send "now". I also told him that he should take care that every concerned people are on Tuesday Morning, January 16.2007 at 10.00 am to be in the Cafe on the Ground Floor of The TRUE Building on Ratchada Pisek Road. And that is will be the final and last meeting about this case. He told that he'll take care for this.

Today is Monday January 15. 2007 and at 17.00 (5.00 pm) not any information or e-mail or SMS from TRUE or any call.

[cclub75]

Ah ah ah ! This is really good, even by thai standards.

Anyway congratulations. It seems that you took some time to reveal the story...

Anyway, best later than never.

And i'm going "de ce pas" to check all my connexions.

However... did you analyse other True CD installation packs ? And just to be sure, I would install the "infected" pack on a "virgin PC", and then launch a Ethernet Packet Sniffer software, and then launch the connexion... and check if some suspicious packets of datas are going out, and if yes where are they going...

[silvero]

As far as I can see, the only evidence you have that the software CD contains a malicious program is that Avast IDs it as Win32:Beastdoor-BE.

- Do you have evidence that this program was sending data out or otherwise providing unwanted functionality?

- Are you familiar with Backdoor.Beastdoor family and have confirmed that this program exhibits it's functionality?

- Why are you sure that this program really is Win32:Beastdoor-BE and not a false postive?

- How have you determined that it is only Avast which detects this malware?

This family of trojans have been around for at least 3 years, and the Win32:Beastdoor-BE definition was added to Avast on 2/10/06, so it's not a new thing and it would be interesting if only one AV detected it correctly.

[indothai]

Decided to try this myself. Downloaded and installed the free/home version of Avast. Installed True software. During the installation, Avast detected a trojan.

I've got Symantec AV installed, but it did not detect anything. Anyone else running different AV that is either detecting or not detecting this?

This is distrubing. Reimar, I hope you will update us.

[Guest Reimar]

I think I've to ad something to my post and report!

May some of you will understand but some will disagree with me!

For to keep myself in a safe place, I haven't publish all information, special some of the evidence of the real nature of this Trojan, which I have. I can't give out every information because I'm a single person against a Giant!

If you want to get more information, you need to start a research by yourself and you may go the same way as I was going. It isn't a easy touch!

The decission I've done is out of any discussion and I will not give any more information, which I see as my evidence, out of my hand's!

Thanks to your all who understand my position and for those who disagree with me think about you're on my place!

[silvero]

I agree wholeheartedly with your intentions and anything people can do to stop malware is great, but if the program isn't malware you may be scaring people unnecessarily and damaging the company's reputation unfairly.

If anyone can tell me how to get a copy of the software then I'll do some analysis and post all the results here.

[yeti]

If you want to advertise this a bit more contact:

- The Nation byteline desk: http://www.nationmultimedia.com/contactus/index.html

- Bangkok Post's Database (IT News): http://www.bangkokpost.com/contact.html

[Guest Reimar]

I agree wholeheartedly with your intentions and anything people can do to stop malware is great, but if the program isn't malware you may be scaring people unnecessarily and damaging the company's reputation unfairly.

If anyone can tell me how to get a copy of the software then I'll do some analysis and post all the results here.

Silvero,

where you are? If in bangkok I can make you a copy of the original CD from TRUE! But I will not keep a copy on my server!!

You can contact me at any time via my e-mail address as shown in the opening post.

My intention for sure is not to scare people, it is to get them to a point not to believe everything what is coming from someone with a "good" name!

As I wrote, dangerous or not, but the laywer is right with him meaning and that is something we should think about too!

In this case, if a Backdoor Trojan is programmed to "open" and change settings of servers that is one thing. But if a software development section of an ISP is writing programs with sentences which are recognized by tracing software as malicious, than there also a change for someone with a good knowledge to get "more out" than the software original was maked for!

I don't blame TRUE that they have done this programming with full knowledge or with intention to "steal" data of user! But whats about the programmers which working for TRUE or related persons?

Industrial Spys makes a lot of money and where we are? In thailand are a lot of companies which working on production of products which reqires a lot confidence!

It's final not the single, private user, that's are the corporates where the arrow is pointing too!

[cdnvic]

I think True has had ample opportunity to demonstrate that it is not a trojan. They were given plenty of time to explain, but have yet to deny it.

[MikeWill]

I am a customer of True. I do remember that some time ago I was having a connection problem to "truehisp", and during my conversation with the True's support, I was advised to install the True hi-speed Navigator 2.0.2 (the file called) "hi-speed Navigator.exe".

This file is Copyright 2005 True Corporation p.c.l. All rights reserved.

(Mr. Reimar Engellage, is that the same file you're referring to?)

I still have that True hi-speed Navigator folder on my disk, though currently not installed.

True Support E-Mail: [email protected] - but I never get a reply from them.

Is there another E-Mail to contact them for their comments on this post?

[Guest Reimar]

I am a customer of True. I do remember that some time ago I was having a connection problem to "truehisp", and during my conversation with the True's support, I was advised to install the True hi-speed Navigator 2.0.2 (the file called) "hi-speed Navigator.exe".

This file is Copyright 2005 True Corporation p.c.l. All rights reserved.

(Mr. Reimar Engellage, is that the same file you're referring to?)

I still have that True hi-speed Navigator folder on my disk, though currently not installed.

True Support E-Mail: [email protected] - but I never get a reply from them.

Is there another E-Mail to contact them for their comments on this post?

Yes, it is this HighSpeed Naviogatr. But the special one which is bundled with the Billion ADSL Router Modem. The HighSpeed Navigator downloaded is "Trojan Free"!

Check your computer if under the DIR of HighSpeed Navigator is a file named RUN.EXE! That's the one with Trojan on the Billion CD!

[MikeWill]

No, I don't have a file named RUN.EXE on my disk. Also, my modem is ZyXEL PRESTIGE 630.

[JimsKnight]

I think True has had ample opportunity to demonstrate that it is not a trojan. They were given plenty of time to explain, but have yet to deny it.

Could it be construed into some kind of government tool whereby they can use a trojan, say this one in particular to access a persons PC covertly in the name of national security???

Is True in the pocket of the government? or perhaps this is a sign of a now defunct TRT project? Or am I overblowing the conspiricy theory?

I can't really see how True would directly benefit otherwise.

Good luck with your investigation.

[indothai]

I got the package with the Billion ADSL modem, that's the one with the file.

[bino]

Reimar- thanks for the explanation at last! Can completely understand your apprehension about taking on the TRUE corporation!

It would appear that I am in the clear.... I have the Billion BIPAC-7000 USB ADSL modem at home, and the CD that came with it from TRUE has no run.exe file, and Avast is not concerned with the installation.

I do remember getting the "High Speed Navigator" with the Billion LAN / Router ADSL modem we use in the office. The USB modem was discontinued and no longer available from TRUE when I set up the ADSL in the office.

However, one of the ladies threw the box and CD away inadvertantly (such a tidy and efficient woman she is, dammit...) so I uninstalled the software and configured the connection manually with the built in WinXP PPPOE client. I'm curious to know if anything was left behind during the uninstall, and will search / test that PC thoroughly tomorrow.

A sigh of relief as far as I'm concerned personally (hopefully), but curious as h*ll as to how this will all work out for those who are affected!

Edited January 16, 2007 by bino

[Khleerm]

Speaking of packet sniffers, I've always heard of these things but have never known where one could be found. If I were running a Mac, with OS X on it, and I wanted to monitor traffic out of my machine, I could simply install Little Snitch and I'd have a great window into what was going on.

Can any of you Windows users suggest a comparable Windows app. Seems that concerned True surfers would want to know.....

Edited January 16, 2007 by Khleerm

[katana]

If its not been done already, might be worth someone sending the file in question to Avast and checking with them if its really a trojan.

I remember once after updating AVG Antivirus, it detected an old version of the well-known anti-malware tool HijackThis on my computer as a trojan.

I sent an email to AVG about this, and this false-positive was corrected in the next update.

[cclub75]

Reimar, your behavior is difficult to understand.

I mean : how do you see yourself ? Are you suffering from the White Knight syndrome ?

How would you qualify someone who says "I know something, oh really bad, but I can't tell you ?"

Yes, exactly : childish... That was the word I was looking for. We were doing this at school... Primary.

Or : someone who is bullshiting.

Anyway.

You say that the "problem" occurs only with the CD of one of True packages (with Billion adsl modems).

It looks like it's confirmed by another user. Fair enough. And we should thank you for your vigilance.

But at that point : we can't rule out the possibility... that this is thailand, and employees are making mistakes. Big ones on a daily basis.

It would be perfectly possible that the guy who prepared the CD for this package, simply had his master corrupted... And then, of course, from a commercial point of view and a thai point of view, True can't aknowledge this "mistake". So cover up.

Not nice for a big company to aknowledge that its staff is downloading some porn and other shaddy Warez softwares while making serious work...

As I said previously : the only way to track a bad intention is to analyse the trojan behaviour or its "nature" as you said once it is installed... Is it sending datas ? If yes, where the IP packets are heading ? Period.

If you did this work, then you should go public. And stop playing.

If you didn't, then you are only half the way.

Of if you did, but you saw nothing bad related to True but only a simple trojan who tries to send some passwords to an IP address in Russia or Khazakstan, then you should go public too.

I think I've to ad something to my post and report!

May some of you will understand but some will disagree with me!

For to keep myself in a safe place, I haven't publish all information, special some of the evidence of the real nature of this Trojan, which I have. I can't give out every information because I'm a single person against a Giant!

If you want to get more information, you need to start a research by yourself and you may go the same way as I was going. It isn't a easy touch!

The decission I've done is out of any discussion and I will not give any more information, which I see as my evidence, out of my hand's!

Thanks to your all who understand my position and for those who disagree with me think about you're on my place!

[jbowman1993]

I gave an old gf of mine a backdoor trojan once. She didn't speak to me for a week....

[Crushdepth]

For to keep myself in a safe place, I haven't publish all information, special some of the evidence of the real nature of this Trojan, which I have. I can't give out every information because I'm a single person against a Giant!

If you want to get more information, you need to start a research by yourself and you may go the same way as I was going. It isn't a easy touch!

The decission I've done is out of any discussion and I will not give any more information, which I see as my evidence, out of my hand's!

If you are not willing to share the information then stop wasting our time. You've already made accusations against True you and you should be prepared to substantiate them.

I don't like True but I doubt that they would intentionally Trojan their customers software. More likely that one of their employees slipped something in out of spite / for personal gain or carelessly ripped off some dodgy code from elsewhere.

[astral]

Whether the action was an accident or malicious does not really matter.

TRUE should stand up and take responsibility

and offer to help affected customers deal with the problem.

This is just another example of the un-professional business practices that hold Thailand back.

[Guest Reimar]

As I wrote already there will be some of you who wouldn't accept my decission.

There a lot of people around who do not care about others but care about themself only! And a lot of this people have very "wide open" hands and try to get everything without own "investment"! I mean in this case: Information!

People which going this way are the one who will "crying" to first if anything will "hurt" them! People like this "running away" very fast if something suspicious came near them and "crying" for help! But people like this also doing what the following speech is meaning: "A dog should never bite the hand which is feeding them!"

If you look around this forum (in total) you will find a lot "members" which seeking for help on one hand and critizising on the other hand, people which saying "thank you" only for personal benefit! And most of this "members" do not accept "critic" on thems own!

OK, all of us are human. The "advantage" of human is that all are imperfect! So, I for my person have also tell thank you for criticts aginst me because I'm a very imperfect person and I like to be so!

What I do NOT like is if critic get a "to much personal touch" which the citizising person try to cover und the plate: "it's not for me, it's for others!" special from someone who do not know me!

From whom I'm talking you can see very easy: just take a look on the answers in this post!

Even after I try to explain my position, what I don't need to do by "normal" thinking humans, you can see on that post's the position where they are standing: Pure egoism!!

For all of you who do not thinking on this way I tell a very big excuse and I'm very sorry to tell that on this way but that people starts to get to much personal against a person they don't know!

[Crushdepth]

If you look around this forum (in total) you will find a lot "members" which seeking for help on one hand and critizising on the other hand, people which saying "thank you" only for personal benefit! And most of this "members" do not accept "critic" on thems own!

Actually this is one of the more helpful forums on Thaivisa and the majority of the posters are quite generous with their time.

What I do NOT like is if critic get a "to much personal touch" which the citizising person try to cover und the plate: "it's not for me, it's for others!" special from someone who do not know me!

You are criticising/making accusations against True. You claim to have evidence, but you will not show it. You are being irresponsible.

Yes, that is a criticism - but not a personal one.

[cclub75]

Pure egoism!!

For all of you who do not thinking on this way I tell a very big excuse and I'm very sorry to tell that on this way but that people starts to get to much personal against a person they don't know!

This thread is getting a bit surreal...

A forum is about sharing : infos, datas and opinions etc.

You came with something that looks interesting. People started to react. Discussion went further. That's the point of a forum. But then, you putting yourself out. Okay. that's of course your right.

But please stop moaning about "egoism".

I have to say that since the begining you have a rather strange way of telling your story, " I will tell you the thruth", arranging some meetings, setting dead lines, "I have my reasons", etc. I mean : at the end, it's like a bad police novel.

You don't want to go further. Fair enough. But you need to understand that, within a thread that you have started, people have also the right to criticize or challenge you. Otherwise, it's not a forum anymore.

I only notice that you are not willing to talk about the technical points of my last post.

The start of this thread was indeed a technical issue. You seem to be now on a very different mode. The discussion has lost its appeal. At least for me.

Bye.

[Guest Reimar]

May I don't write clear enough and so just for to clear that:

1.: I do like constructive but not "pushy" critics and also need them because I learning from them as well!

2.: I do not like if this critics going personal from someone who do not have any personal relation to me!

3.: I need to keep sometime something for to safe my position!

4.: My critics against TRUE and here against that people who didn't keep thems promisses are fundamental!

5.: This post was started to inform about the potential danger

6.: This post was also started to inform about how a huge ISP handels serious threats

I feeling very sorry that this is going this way.

As I offered already, who is interested should contact me by e-mail and I'll send via e-mail (not PM) the access info to my server and than the interested can download the gererated sourcecode of the infected program, size is 5 kB and a RAR file. This offer I let open until January 21. 2007

I only notice that you are not willing to talk about the technical points of my last post.

cclub75, thats not truth but I need some time beside my normal "work" and I've to be carefull with any answer, but you will get your answersometime this evening.

The start of this thread was indeed a technical issue. You seem to be now on a very different mode. The discussion has lost its appeal.

You're right this is escalating! But I don't like if someone like to push me in an "corner" for no reasons but to get me on an unsafe place!

That is what I've asked for several times. And all of you need to accept that my first intention must be to keep myself safe BEFORE I go further!

crushdepth,

You are criticising/making accusations against True. You claim to have evidence, but you will not show it. You are being irresponsible.

Question: Do you give the ATM-Code or the Code of your Creditcard to someome or many (as here) without to safe your Money before and without to know that person? If youy do your money is gone!!!!

That is excactly what you and others want from me! And that is what I mean with to much to personal for example! I'm may stupid, but NOT that stupid!

I think I stop here and answer technical issues only withoy to leave my safe "heaven"!

I think and hope the majority of you will understand me.

Thanks

[yeti]

So did you contact any major media about this? Coz one thing is sure, True doesn't give a shit about what you publish here.

Edited January 17, 2007 by yeti

[cdnvic]

So did you contact any major media about this? Coz one thing is sure, True doesn't give a shit about what you publish here.

At least post to The Nation's forum so that it gets some exposure that they may pick up on if nothing else.

Reimar, I don't get how holding info back keeps you "safe"? Is TRUE going to try bumping you off or something?

[nikster]

Never attribute to malice what can be adequately explained by incompetence.

World-wide, there are tens of millions of machines infected with these trojans. So the guy who did those CDs apparently had one in his system as well, and managed to get them on a golden master from which it was multiplied by the tens of thousands.

For a while, Apple shipped iPods complete with pre-installed Virus/trojan. It can happen. Needless to say, Apple took a lot of steps afterwards to correct the problem, you can download a removal tool from their website.

If TRUE was a responsible company, it would send out a free removal tool for this trojan. But this being Thailand, we all know how much they hate to admit any wrong-doing - it's kind of a cultural thing. No need to get all hot and bothered about it.

[george]

I am closing this thread now, as it could potentially end up in trouble. We will open it again when or if the media writes about it.

Cheers

Admin