Click, Click, Who’s There?

Can you imagine your hard drive getting formatted by a virus, just because you clicked on an interesting Website? Sounds unbelievable, right? But it’s highly possible with viruses written in ActiveX and Java. These are some of the stealthiest viruses that you could come across, and they wreak considerable havoc on your PC. 

ActiveX controls and Java applets are small programs designed to make your browsing experience more interactive. Based on the Component Object Model (COM), ActiveX controls are
writt`en in native code for a specific platform such as Windows. When you encounter a page that uses an ActiveX control, the browser can install and run it dynamically. 

Java is an interpreted language that can run on multiple platforms using a virtual machine. When you download a Java applet, the browser’s Java virtual machine translates it into native code, so that your system can run it.

ActiveX controls are more powerful than Java applets as they give more functionality. However, this could also compromise security. ActiveX controls are native programs that can do everything a native Windows program can do. They can access your files, move or even delete them. A Web programmer could write an ActiveX control, say a video game, with a trojan. While you’re busy playing, the trojan could scan your drive for tax records or other important documents, and e-mail them to another location.

Even standard ActiveX programs can be made to perform malicious deeds using HTML and VBScript. For example, if Microsoft’s ActiveMovie control is told to play a movie from the URL file:///aux, IE goes into an infinite loop in Win 95. Attempting to shut down IE by doing an “End Task” will, more often than not, crash Win 95. 

The VBScript and ActiveX combo disk crasher is even more dangerous. It contains some function calls written in VBScript to write files to disks. This could overwrite key system files like Autoexec.bat, config.sys, reg.dat, etc. And you could get this virus on your PC simply by visiting an unknown Website containing ActiveX controls. The worst part about VBScript is that it can bypass the highest level of security in IE. The Cuartango Window, described below, is an example of this. 

ActiveX

Here are some examples of how ActiveX code can be made to perform malicious deeds on your PC. Note that there are demos right now, but who knows about tomorrow?

Cuartango Window

This uses VBScript and affects IE 4. When it encounters a Web page with an ActiveX element, it warns the user by popping an error message–“An ActiveX element of this page could be unsafe, do you want to initialize it and be accessed by the scripts?” Hardly anybody would click “Yes” to this. However, with the help of VBScript, the programmer can actually reverse the function of these two buttons. So if you click “No”, it would actually mean a “Yes”. After this, you’re at the mercy of the virus.

Exploder

This ActiveX control can do a clean shutdown of Win 95 or turn off the power on machines with power conservation BIOS (green machines). For the techies, it means a call to the Windows API function ExitWindowsEx() with the flags EWX_ SHUTDOWN and EWX_POWER OFF set. For the rest of us, it’s the same as the “Shut Down” command on the Start menu, with the power off feature added. 

Hard Disk Explorer

This ActiveX control can access your hard disk. It uses the pre-loader ability to report the presence or absence of a file or URL to a controlling script, and loops through a number of “well-known” critical user files, to determine information about the user’s system. This information could be sent back to the virus author for malicious purposes, or used to test for the presence of other security holes. 

Can Java be a menace? 

Java uses what’s called the Sandbox approach. It’s an environment that programs can play in without damaging anything outside it. This prevents applets from reading or writing files or interacting with other parts of the system. So you can be reasonably certain that nothing can go wrong, as Java applets can’t read or write files to the hard drive. The tradeoff here is that, without being able to read and write files, applets are severely limited in what they can do.

JavaSoft has responded to these limitations by creating, in Version 1.1 of its Java Development Kit, the ability to sign and trust applets, just like Authenticode in ActiveX. In JDK 1.1, signed applets can run outside the sandbox. Like ActiveX controls, these certified applets would also have the potential to do malicious things to the system.

So far, only two viruses have become known in Java—Strange_Brew and Java.BeanHive. 

Strange_Brew_Virus

This was found in August 1998 and infects Java classes. It can replicate itself only if access to disk files is allowed—that is, it you enable the disk access functions. This is possible if the infected file is run as a Java application, and not as an applet. So, if the infected file is run as an applet under known browsers, the virus can’t replicate itself. The system will display a warning message and terminate the virus. 

When run as a Java application, it can access Java functions for file searching, opening, reading, writing, closing, etc, and the programmer can make it even more powerful. The virus has the string Strange_Brew_Virus() in it, from which it derives its name. 

Java.BeanHive

This virus is stealthier. Unlike the first one, it uses the browser to gain access to your data. It prompts you to accept a certificate called “Landing Camel”. If accepted, this certificate is used to access the system. The virus is divided into two parts—starter and main. While replicating, the virus infects Java files only by its starter, while the main virus code remains on a remote Web server. 

When an infected Java application is run, the starter code reads the main virus code from this remote server, and executes it. The main virus routine then searches for Java files in the current directory and all subdirectories, and infects them with the virus starter. The virus becomes active as soon as it comes in contact with BeanHive.class in any Java application. This can have dangerous implications. The virus could copy some code—to rewrite important files, etc—on to your hard disk remotely and run it. 

Gimme protection

So far, there haven’t been any major ActiveX or Java virus outbreaks, but that doesn’t mean it can’t happen. With hundreds of viruses being created every month, it’s just a matter of time. 

So, how do you protect yourself from the onslaught? For one thing, use the latest virus scanner on your desktop. Most of these now have protection against Java and ActiveX viruses. You could also completely disable ActiveX controls from your Web browser, but then, you’ll miss out on good Websites that use ActiveX. An alternative, but longer procedure is to use an IE feature called Authenticode, which uses digital signatures to identify each control. By checking the signature with a known verification authority—the most well-known being Verisign—you can find out whether it’s safe to run ActiveX controls from a particular Website.