---------------------------------------------------------------------------- ARTICLE FOR CODEBREAKERS EZINE #5 TITLE: BeanHive: The real story ---------------------------------------------------------------------------- *Editors Note: In the beanhive directory of this zine, there is the source, demo, binary, and tools to help you understand, test, and create the beanhive java virus. -Opic [CodeBreakers 1999]* Before I start my brief analysis of the BeanHive virus I would like to take this opportunity to make people aware of a couple of things: 1) I would like to extend greetings to all those who have dedicated a portion of their lives to reading this article. I would also like to thank all those people out there who have helped me out during my short time in the vx world, in particular Sp0oky, opic, and the rest of the codebreakers team. 2) Secondly I would like to say a big FUCK YOU! to everyone who says that java viruses are pieces of shit and that I have no programming ability. If you are reading this then I would really like you to print this article out and shove it so far up your fucking ..... and then your mother will be saying shit like 'what the hell happened to your' .... and then you'll have to go to the doctor and he'll stick his arm so far up .... and the blood will start ... all over you're sister's .... Anyway, in summary, if you are one of those people that lives only to give shit to people ...... The first group of people to write up about BeanHive were a group of Austrian antivirus people. Their write up is detailed here, with slight modifications, and since they printed potions of my press release on their website without identifying their source, I shall endeavor not to identify the source of this article. ---------------------------------Start Article---------------------------------- BEANHIVE The First Attack From A Java-Virus Against Users "Strange_Brew", the first actually working Java virus named BEANHIVE, which scared JAVA society for a long time, comes up to threaten computer users directly. The specialist of Software analyse the BEANHIVE Java-virus first and provided an effective remedy by a new update. Commentary: If I was going to have something that I had written, translated into another language, I would atleast pay someone to get the grammar right. That introduction doesn't make sense at all, bunch of illiterate freaks. And in response to your statement, noone believes anything that I have written is a threat to anything. BEANHIVE is the first foretaste of the immense possibility that Java viruses would be found on your infected platforms. You can be infected easily by surfing on Internet, clicking on a page containing an infected Applet and taking its course. Commentary: Once again the meaning of this paragraph is lost during the translation. Although, this seems to sound a bit like my opening statement "This new virus, named the BeanHive virus for reasons explained below, is revolutionary in demonstrating the immense power that java viruses can gain over the host platform." Forgive me but this is sounding a little similar to my original press release. But the story unfolds further..... The virus consists of 2 component, the "Queen" and the "Worker". The real infection is executed by the Worker, who hides in Java class files on your PC quietly until it runs. If the Worker awakens to find himself without his "Queen", he will try to communicate his Queen across Internet. Is the communication successfully built, the Queen will travel to the local PC where the Worker calls her. Commentary: Now this is extracted straight from what I wrote. This is MY analogy, MY metaphor, if you use parts of an article that I have written you should atleast acknowledge the author, this article is, believe it or not, governed by Australian copyright laws, as well as plagiarism laws. Bunch of miserable law breaking sluts. Then the Queen begins to build her "beanhive", while the Worker go to "sleep" again. Completing all her tasks, the Queen waits for the next call from a Worker for travelling there to build another "beanhive". Commentary: Same as previous notes, except now they are law breaking whores. These abilities enables BEANHIVE to overtake all imiginable variants of functions. The Worker acts as infector, which calls the Queen from local file system with full rights on the infected platform. Currently, the Queen program contains no damage function, except infecting all Java class files that can be accessed at the current directory. However, the creation of BEANHIVE enables that the possible successors and update programs (which has been already claimed) can be built in this way that a Trojaner with the Worker loads the Queen down to your computer. "The possibilities that BEANHIVE opens can describe safely as disturbing", Gerald said, leader of the analysis department of Software. Commentary: Finally we get some valid points, although they are few in number and are surrounded by many additional misleading facts. The Software company states that it has already been claimed that it is possible to change the virus even when it is in the wild. After all the other parts of my article which you blatantly plagiarised, why acknowledge this one piece of information? The virus was written by Landing Camel, a VX coder of the Codebreakers. About his motivation to write this virus, Landing Camel meant, that the reaction of his friends to Strange Brew was that there was still no virus that could infect Java Applets directly over Browser. Therefore he challenged with a proof to the contrary and developed BEANHIVE, with which the infection of Java files could come up over Netscape as well as Internet Explorer. Commentary: These guys really are stupid. Beanhive doesn't infect applets, if they had looked at the code at all they would have discovered that one of the first checks that is done is to determine whether the class file has a super class other than java.lang.Object. Atleast they spelled my name correctly, some credit for writing more than half of their article would be quite deserved in my opinion. The easiest way to protect yourself from these damages is to disable Java Applets on your browser or directly on your proxy. Warning messages about the certification of the Java files will be given out by browsers during the Applet runs. However, BEANHIVE infects the local Java class file if users ignore the advice. Commentary: I'm sorry we're going to have to get the judges to give a ruling on that one.... 'WRONG!' Something was again lost in the translation, or Software really are as stupid as I have been lead to believe. The virus cannot infect anything if you deny the certificate. When you consider safety important, the experts of Software recommend you to use a good virus protection program, which can reliably detect BEANHIVE. Commentary: If you consider safety important, steer clear of Software. Their 'so called' experts wouldn't know the difference between 'breech of copyright', 'plagiarism', or 'homosexuality'. Support Center: ++43 / (x)x / xxxxx xxx ----------------------------------End Article----------------------------------- Now onto the only (partially) accurate description of the beanhive virus excerpted from avp. ---------------------------------Start Article---------------------------------- Java.BeanHive This virus is a Java program, replicates under Java machine and infects other Java files (applications). This is the second known Java virus after "Java.StrangeBrew"}. The virus has a very unusual way of spreading. It is divided into two parts: "starter" and "main". While replicating the virus infects Java files only by its starter, and the main virus code is present on a remote Web server only (on the Web server of hacker's Codebreakers group). When an infected Java application runs, the virus started reads the main virus code from this remote server, and executes it. The main virus routine then searches for Java files in the current directory and all subdirectories, and infects them with the virus starter. The main part of virus code is not copied to victim files, and does not present on the infected computer in any file form. It only runs on a computer as Java program, and there are no traces of it when the virus releases control to the system. As a result, while infecting the virus copies just a small part of its code. The main virus routines are stored only on a remote server. Features The technology used in this virus has several advantages. This multi-component way of infection allows to the virus to hide its code in infected files: the length of files grows by small value, and after brief look the inserted virus code seems to be harmless. The combination starter-main also allows to virus writer(s) to "upgrade" the virus with new versions just by replacing virus main code on their server. It is necessary to note, that the virus is able to replicate only under very limited conditions. It is absolutely not able to infect the system being run as Java applet under any of popular Web browsers. The standard security protection cancels any attempts to access disk files, or evento download remote Java file. The virus is able to spread only being run as a disk file as Java application by using the Java machine. Technical details The virus starter is a short Java program about 40 lines of code. When it takes control, it connects to the remote Web server, downloads main virus code that is saved there in the BeanHive.class file and runs it as a subroutine. The main virus code is also divided into six parts and stored in five different Java files. These files are downloaded from Web server and run in case of need: BeanHive.class : searching for files in directory tree +--- e89a763c.class : file format parsing +--- a98b34f2.class : file access functions +--- be93a29f.class : preparing file for infection (part1) +--- c8f67b45.class : preparing file for infection (part2) +--- dc98e742.class : inserting virus starter into victim file While infecting the virus parses internal Java formats, writes into the file the starter's code as a "loadClass" subroutine and adds to file constructor's code the call for this subroutine: loadClass("BeanHive"). The passed parameter ("BeanHive") points to the name of remote file (on the Web server) with the main virus code. ----------------------------------End Article----------------------------------- Well that about wraps it up, the few things about this virus I would like to mention are that this one actually uses a bit of modularity, something which I in no way condone the use of this virus for dubious purposes but if you are that way inclined then it is quite possible for you to create your own variant of this beast, here is an idea for you. Obtain a copy of a java ftp client, there are plenty around, some as small as 8k. Write some code that will search the current directory for java source files and upload them to your own account. Pass the new virus around to some of your mates (or not mates as the case may be) and say that it is a byte code optimiser, and that it also protects the code from disassembly by creating a new classloader preventing debuggers ... blah blah blah. Wait for all those assignments to start filtering through, meaning less work for you and more time for drinking. Excellent. There are a few bits and pieces that I have included with this article which were instrumental in writing this virus. One is the tiny webserver which is only 45k in size. For testing purposes I used http://localhost/ as the location of the class files. Another tool which I did not use but which might be handy to test out compiled code is a java tcp reflector, with that you can make www.codebreakers.org resolve to localhost and everything should be fine... (untested so dont blame me if it doesn't work). Both are freeware or shareware so send the author an email if you use any of it. Beanhive certainly is an advance on the last virus but still fails when it comes to 'in the wild' ability. The next one will start to address these issues but until then remember, The best you can expect is to avoid the worst. Landing Camel The Codebreakers February 1999