----------------------------------------------------------------------------
ARTICLE FOR CODEBREAKERS EZINE #5 TITLE: BeanHive: The real story
----------------------------------------------------------------------------

*Editors Note: In the beanhive directory of this zine, there is the source, 
demo, binary, and tools to help you understand, test, and create the 
beanhive java virus. -Opic [CodeBreakers 1999]*

Before I start my brief analysis of the BeanHive virus I would like to take
this opportunity to make people aware of a couple of things:

1) I would like to extend greetings to all those who have dedicated a portion
of their lives to reading this article. I would also like to thank all those 
people out there who have helped me out during my short time in the vx world,
in particular Sp0oky, opic, and the rest of the codebreakers team.

2) Secondly I would like to say a big FUCK YOU! to everyone who says that 
java viruses are pieces of shit and that I have no programming ability. If 
you are reading this then I would really like you to print this article out 
and shove it so far up your fucking ..... and then your mother will be 
saying shit like 'what the hell happened to your' .... and then you'll have 
to go to the doctor and he'll stick his arm so far up .... and the blood 
will start ... all over you're sister's .... Anyway, in summary, if you are 
one of those people that lives only to give shit to people ......

The first group of people to write up about BeanHive were a group of 
Austrian antivirus people. Their write up is detailed here, with slight 
modifications, and since they printed potions of my press release on their 
website without identifying their source, I shall endeavor not to identify 
the source of this article.

---------------------------------Start Article----------------------------------

BEANHIVE
The First Attack From A Java-Virus Against Users
"Strange_Brew", the first actually working Java virus named BEANHIVE, which 
scared JAVA society for a long time, comes up to threaten computer users 
directly. The specialist of <Bogus> Software analyse the BEANHIVE Java-virus 
first and provided an effective remedy by a new update.

Commentary: If I was going to have something that I had written, translated 
into another language, I would atleast pay someone to get the grammar right. 
That introduction doesn't make sense at all, bunch of illiterate freaks. And 
in response to your statement, noone believes anything that I have written 
is a threat to anything.

BEANHIVE is the first foretaste of the immense possibility that Java viruses 
would be found on your infected platforms. You can be infected easily by 
surfing on Internet, clicking on a page containing an infected Applet and 
taking its course.

Commentary: Once again the meaning of this paragraph is lost during the 
translation. Although, this seems to sound a bit like my opening statement 
"This new virus, named the BeanHive virus for reasons explained below, is 
revolutionary in demonstrating the immense power that java viruses can gain 
over the host platform." Forgive me but this is sounding a little similar to 
my original press release. But the story unfolds further.....

The virus consists of 2 component, the "Queen" and the "Worker". The real 
infection is executed by the Worker, who hides in Java class files on your 
PC quietly until it runs. If the Worker awakens to find himself without his 
"Queen", he will try to communicate his Queen across Internet. Is the 
communication successfully built, the Queen will travel to the local PC 
where the Worker calls her.

Commentary: Now this is extracted straight from what I wrote. This is MY 
analogy, MY metaphor, if you use parts of an article that I have written 
you should atleast acknowledge the author, this article is, believe it or 
not, governed by Australian copyright laws, as well as plagiarism laws. 
Bunch of miserable law breaking sluts.

Then the Queen begins to build her "beanhive", while the Worker go to 
"sleep" again. Completing all her tasks, the Queen waits for the next call 
from a Worker for travelling there to build another "beanhive".

Commentary: Same as previous notes, except now they are law breaking whores.

These abilities enables BEANHIVE to overtake all imiginable variants of 
functions. The Worker acts as infector, which calls the Queen from local 
file system with full rights on the infected platform. Currently, the Queen 
program contains no damage function, except infecting all Java class files 
that can be accessed at the current directory. However, the creation of 
BEANHIVE enables that the possible successors and update programs (which 
has been already claimed) can be built in this way that a Trojaner with the 
Worker loads the Queen down to your computer. "The possibilities that 
BEANHIVE opens can describe safely as disturbing", Gerald <Bogus> said, 
leader of the analysis department of <Bogus> Software. 

Commentary: Finally we get some valid points, although they are few in 
number and are surrounded by many additional misleading facts. The <Bogus> 
Software company states that it has already been claimed that it is possible 
to change the virus even when it is in the wild. After all the other parts 
of my article which you blatantly plagiarised, why acknowledge this one 
piece of information?

The virus was written by Landing Camel, a VX coder of the Codebreakers. 
About his motivation to write this virus, Landing Camel meant, that the 
reaction of his friends to Strange Brew was that there was still no virus 
that could infect Java Applets directly over Browser. Therefore he 
challenged with a proof to the contrary and developed BEANHIVE, with which 
the infection of Java files could come up over Netscape as well as 
Internet Explorer.

Commentary: These guys really are stupid. Beanhive doesn't infect applets, 
if they had looked at the code at all they would have discovered that one 
of the first checks that is done is to determine whether the class file has 
a super class other than java.lang.Object. Atleast they spelled my name 
correctly, some credit for writing more than half of their article would 
be quite deserved in my opinion.

The easiest way to protect yourself from these damages is to disable Java 
Applets on your browser or directly on your proxy. Warning messages about 
the certification of the Java files will be given out by browsers during the 
Applet runs. However, BEANHIVE infects the local Java class file if users 
ignore the advice.

Commentary: I'm sorry we're going to have to get the judges to give a 
ruling on that one.... 'WRONG!' Something was again lost in the translation, 
or <Bogus> Software really are as stupid as I have been lead to believe. 
The virus cannot infect anything if you deny the certificate.

When you consider safety important, the experts of <Bogus> Software 
recommend you to use a good virus protection program, which can reliably 
detect BEANHIVE.

Commentary: If you consider safety important, steer clear of <Bogus> 
Software. Their 'so called' experts wouldn't know the difference between 
'breech of copyright', 'plagiarism', or 'homosexuality'.

<Bogus> Support Center: ++43 / (x)x / xxxxx xxx 

----------------------------------End Article-----------------------------------

Now onto the only (partially) accurate description of the beanhive virus 
excerpted from avp.

---------------------------------Start Article----------------------------------

Java.BeanHive

This virus is a Java program, replicates under Java machine and infects 
other Java files (applications). This is the second known Java virus after 
"Java.StrangeBrew"}. The virus has a very unusual way of spreading. It is 
divided into two parts: "starter" and "main". While replicating the virus 
infects Java files only by its starter, and the main virus code is present 
on a remote Web server only (on the Web server of hacker's Codebreakers 
group). 

When an infected Java application runs, the virus started reads the main 
virus code from this remote server, and executes it. The main virus routine 
then searches for Java files in the current directory and all subdirectories,
and infects them with the virus starter. The main part of virus code is not 
copied to victim files, and does not present on the infected computer in 
any file form. It only runs on a computer as Java program, and there are no 
traces of it when the virus releases control to the system. 

As a result, while infecting the virus copies just a small part of its code. 
The main virus routines are stored only on a remote server. 

Features
The technology used in this virus has several advantages. This 
multi-component way of infection allows to the virus to hide its code in 
infected files: the length of files grows by small value, and after brief 
look the inserted virus code seems to be harmless. The combination 
starter-main also allows to virus writer(s) to "upgrade" the virus with new 
versions just by replacing virus main code on their server. 

It is necessary to note, that the virus is able to replicate only under 
very limited conditions. It is absolutely not able to infect the system 
being run as Java applet under any of popular Web browsers. The standard 
security protection cancels any attempts to access disk files, or evento 
download remote Java file. 

The virus is able to spread only being run as a disk file as Java application
by using the Java machine. 

Technical details
The virus starter is a short Java program about 40 lines of code. When it 
takes control, it connects to the remote Web server, downloads main virus 
code that is saved there in the BeanHive.class file and runs it as a 
subroutine. The main virus code is also divided into six parts and stored 
in five different Java files. These files are downloaded from Web server and 
run in case of need: 

 BeanHive.class             : searching for files in directory tree
  +--- e89a763c.class       : file format parsing
        +--- a98b34f2.class : file access functions
        +--- be93a29f.class : preparing file for infection (part1)
        +--- c8f67b45.class : preparing file for infection (part2)
        +--- dc98e742.class : inserting virus starter into victim file
While infecting the virus parses internal Java formats, writes into the file 
the starter's code as a "loadClass" subroutine and adds to file constructor's
code the call for this subroutine: loadClass("BeanHive"). The passed 
parameter ("BeanHive") points to the name of remote file (on the Web server) 
with the main virus code. 

----------------------------------End Article-----------------------------------

Well that about wraps it up, the few things about this virus I would like to 
mention are that this one actually uses a bit of modularity, something which 
I in no way condone the use of this virus for dubious purposes but if you are
that way inclined then it is quite possible for you to create your own 
variant of this beast, here is an idea for you. Obtain a copy of a java ftp 
client, there are plenty around, some as small as 8k. Write some code that 
will search the current directory for java source files and upload them to 
your own account. Pass the new virus around to some of your mates (or not 
mates as the case may be) and say that it is a byte code optimiser, and that 
it also protects the code from disassembly by creating a new classloader 
preventing debuggers ... blah blah blah. Wait for all those assignments to 
start filtering through, meaning less work for you and more time for 
drinking. 

Excellent.

There are a few bits and pieces that I have included with this article which 
were instrumental in writing this virus. One is the tiny webserver which is 
only 45k in size. For testing purposes I used http://localhost/ as the 
location of the class files. Another tool which I did not use but which 
might be handy to test out compiled code is a java tcp reflector, with that 
you can make www.codebreakers.org resolve to localhost and everything should 
be fine... (untested so dont blame me if it doesn't work). Both are freeware 
or shareware so send the author an email if you use any of it.

Beanhive certainly is an advance on the last virus but still fails when it 
comes to 'in the wild' ability. The next one will start to address these 
issues but until then remember,

The best you can expect is to avoid the worst.

Landing Camel
The Codebreakers
February 1999


