JavaApp.Strange Brew

The Strange Brew virus is what researchers call a parasitic virus. A parasitic virus is one which attaches itself onto a host program in such a fashion that the host program is still capable of functioning after infection. This particular virus attaches itself to Java ".class" files, which are the executable files that comprise Java applets and application programs.

Java ".class" files are synonymous in many ways with standard application ".EXE" files used by Windows 95 or Windows NT; however, Java ".class" files can be used on virtually any computer system which supports Java technology. This means that this virus is capable of successful replication on literally dozens of different computing platforms. Traditional computer viruses are only capable of spreading on one or at most a small number of computing environments. For instance, the recent W95.CIH virus is only capable of infecting Windows 95 or 98 systems. By contrast, the Strange Brew virus will function equally well on Windows 95, UNIX servers, and CRAY supercomputers, to name just a few.

This virus can infect both Java applet files as well as Java application files. Java applets are programs written in Java that are typically downloaded from the web and can only be run from within a web browser (such as Internet Explorer or Netscape Navigator). Java applications are stand-alone programs that can be run on a computer, outside of any browser.

The Strange Brew virus is only capable of spreading when an infected Java application file is launched. Infected Java applets cannot spread from within a properly secured web browser such as Internet Explorer or Netscape Navigator because the infected applets fail the security checks imposed by the browser and are immediately terminated. This means that one cannot contract this virus by web surfing, so typical Internet users are at no risk from the virus. The virus can be spread by running an infected Java application; however, very few companies or users employ Java applications, making the risk of such an infection very small.

In addition to being a parasitic virus (described above), Strange Brew is also a direct action virus. This means that as soon as the virus gets control from an infected application, it will immediately attempt to infect other files. Once it has finished infecting, it will yield control to the host application and terminate itself. The virus will not install itself in your computer's memory nor will it perform any subsequent infection or do further harm.

This virus infects host applications in such a way that it will not always gain control when an infected application is launched (whether or not the virus gets control depends on how the host Java application is used and its program logic). However, when the virus does gain control, it runs in two phases. First, the virus will search the current directory for other previously infected "class" files. Once it has located such a Strange Brew-infected file, the virus will load regions of the infected file into memory; this information constitutes the viral program logic and data and is required to infect subsequent files. After the virus has loaded this information, it starts the second phase of the infection process, described below. If the virus cannot locate any infected files in the current directory, it aborts infection and returns control to the host Java application.

Once the virus has located an infected file and loaded its contents into memory, it starts to look for new files to infect. If a ".class" file has a file size which is evenly divisible by 101, the virus will assume that the file is already infected; this is because the Strange Brew virus updates all files it infects to have a file size divisible by 101. However, this logic will also cause the virus to pass over some uninfected files which happen to have a Strange Brew-like size. Once the virus locates a ".class" file which does not appear to be infected, it checks the file to see if it is suitable for infection, based on some internal criteria. If the file is not suitable for infection, the virus will insert a number of bytes into the file to increase its size to be divisible by 101. This allows the virus to quickly skip over unsuitable files during subsequent infection attempts.

If the virus finds a ".class" file which is suitable for infection, it will insert itself into this new host file (a file which gets infected by a virus is referred to as a host file). The virus infects new ".class" files by creating a new section (a new method) in the file and adding its own program logic to this section. It will insert this new section before all of the host file's original program logic sections. The virus then patches the host's original program logic to transfer control to the newly inserted viral logic. During this patching, the virus will actually change the host program's error handling capabilities, causing some infected programs to function incorrectly. However, many Java applications will still function properly. Finally, the virus will update a number of other tables and fields in the file.

The virus will attempt to infect every suitable ".class" file in the current directory before returning control to the host application, increasing the each file's size by roughly 3,890 bytes. The virus will also change the directory date and time stamp of each file that it has processed.

This insertion process is poorly designed and has several serious bugs which can cause the virus to infect files incorrectly or crash. If the virus does crash during an attempted infection, the host Java application will be terminated and further infection will cease.

The Strange Brew virus contains no intentional payload and will not cause any additional damage beyond infecting or possibly damaging (because of incorrect infection) Java executable files. This virus is not "in the wild" and is not known to have affected actual users. It is not considered a threat to typical end-users or corporations. However, anyone doing Java/WWW development is at risk to having their Java ".class" files infected or corrupted.

Users who are infected by this virus may notice their Java applications take longer to load during start-up or fail to operate. If an infected Java applet is inadvertently downloaded and run inside a WWW browser, the following messages may be displayed:

Netscape 4.05:

Applet <Applet name> can't start: class got a security violation: method verification error

IE4.0:

error: com.ms.lang. VerifyErrorEx: WVLayout.Strange_Brew_Virus: invalid constant value

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

Summary