A new bot on the market: Beta Bot

[Jack]

​

Beta Bot it uses multilingual social engineering techniques to exploit the human user
In the beginning of March 2013, a new bot called “Beta Bot” entered the market. With less than €500, Beta Bot is sold relatively cheap, considering its vast feature list. Even though most of those features are pretty standard for today's bots, like different DOS-attack methods, remote connection abilities, form grabbers and other information stealing capabilities, one particular ability caught our attention: "Disable Anti Virus", says the ad posted in an underground forum, followed by a list of nearly 30 security programs that are said to be disabled by Beta Bot.

What does it do?

When installed on a system, Beta Bot searches for a list of known security products it is said to target. Upon finding one of those programs installed, the bot starts its attacks as described later in the text. Doing so, it prepares itself to attack the av program by killing processes, disabling registry keys or simply by disabling auto updates. Depending on the type of security product, Beta Bot also tries to circumvent firewalls by injecting certain routines into programs that are usually allowed to pass the firewall, like for example Internet Explorer.

User Access Control (UAC) – it’s all about permissions

On modern Windows operating systems, permissions for users are split into standard (low) and administrator permissions (high/elevated). In contrast to an administrator, a standard user cannot alter critical parts of the system. If a user starts a process, the user’s permissions are inherited to the process. Thus they can also be divided into processes with low and high permissions. By default, only a low set of permissions is granted to each process, because a user has only standard permissions by default. On demand, those permissions can be elevated.

Loosely speaking, all processes can be divided into processes with low and elevated permissions, while the ones with low permissions cannot modify the ones with high permissions, but elevated processes can modify both. Additionally, permissions can also be inherited between processes. Thus, if a process with elevated permissions starts another process, this second process also has elevated permissions.

To prevent malware from harming a system severely, the elevation of permissions from low to high is the most critical step. The decision whether to elevate the permission of a running process is handed over to the user, who is prompted by the system in a UAC dialogue to decide "Yes" or "No" on the request for elevation of permissions. The user also gets some additional info about the program requesting the elevation. Beta Bot targets this interface and tries to exploit the human user with a social engineering trick.


Read more: http://blog.gdatasoftware.com/blog/article/a-new-bot-on-the-market-beta-bot.html

 

[DrBeenGolfing]

Any idea where the list of 30+ Security Programs it can disable are?
Since this has been out a couple of months, I'm guessing most companies have a fix for it?

 

[3link9]

Any idea where the list of 30+ Security Programs it can disable are?
Since this has been out a couple of months, I'm guessing most companies have a fix for it?

Not sure but my guess is GData is either fixing or has a fix for it. But who knows....

 

[jamescv7]

This is a vulnerability for most security applications, since it will test the self protection against viruses termination.

 

[Nico@FMA]

The Kaspersky self protection module use to be one of the best on the market, but as it seems bot creators did catch up.
That being said, i can see this bot wreak havoc amongst p2p/torrent users and the average click finger happy home users.

However i believe that on a session based network this bot will have little or no option to run itself, as non of the client pc's will ever run under admin rights, and neither is any client module ever have enough rights to execute such a program.
That does not mean this bot is harmless as most bots are real pieces of work and one could say a piece of coding art.
But here comes the vital rule again:

If you take care of your system, using brains and:
1: Policy based rule sets + Group/user Sessions.
2: Carefully regulated User Access Control/Permissions.
3: Limited account rights.


Which can be achieved rather easy even on a home environment then the odds that this bot will rock your day is virtually NIL.
Infact i venture to say that if you do not use your build in Admin account and just purely use your pc with limited access rights this bot just cannot penetrate your system.

What annoys me from time to time is that if you look around on other forums and review pages that sometimes a protection suit gets flamed for its inability to provide you with a proper level of security, and thus how bad the program is, but there is one rule that applies to 75% of all Malware out there and 100% to all protection suits money can buy.
Your happy click finger is the final factor which can render ANY security suit useless.

And lets face it the average computer user is in fact just a happy click junk who clicks everything that says click here.
And thus they willingly-knowingly or unwillingly-and just plain stupid accept that their click habit just did disable their security and that they accepted a program to run in the first place.

Now in regards to Kaspersky i personally know that KAV is one kick ass product and that it does have everything a good suit should have and i have trouble believing that KAV can be terminated in client/limited account mode.
Obviously if you are running a admin account which is asking to be infected imo. Then anything can be disabled.

That said this seems to be a dangerous bot specially to those who do not have a clue, but to those who have a bit of knowledge and common sense i cannot see this bot being more then just a annoyance.

Cheers