The first Java virus

August 20, 1998 Sophos Press Release

The first Java virus has just appeared: "Strange Brew". Here are some questions and answers about the virus.

Q. I thought Java viruses were impossible?

A. Java is a programming language. One of its goals is to help programmers write programs with fewer errors by avoiding the sort of "total low-level control" that a language like C gives to the programmer. One side-effect of this it is rather more complicated to write a virus in Java than it is to write a virus in C or in assembly language. It is not, however, impossible to write Java viruses, as "Strange Brew" demonstrates.

Q. So how does "Strange Brew" work?

A. When an infected program (a Java .class file) is run, it looks for other, uninfected .class files in the user's current directory. The virus then copies itself into these files, modifying them so that when they are run in future, the virus receives control first. There is no explicit warhead built in to the virus, but (probably because of the complexity of manipulating .class files) it contains bugs which cause it to damage some of the files it infects so that they no longer run properly.

Q. But I thought Java was secure?

A. Programs written in Java have one of two forms: applications or applets. Java applications are like applications written in C, or Pascal, or BASIC, and can do the things that you would expect applications to do. After all, an application such as a word processor which could not save files to disk or write to the printer would be of little use. In other words, a Java application can perform operations that could compromise security.

Java applets are different, in that they are run by another application (such as a web browser) which is responsible for executing them in a secure environment, often called a "sandbox". When running in this sandbox, any Java operations which might compromise security are disallowed -- in theory, at any rate.

Broadly speaking, applets are secure; applications may not be. When you visit a Java-enabled website, you are downloading and running applets. So, broadly speaking, you can't catch "Strange Brew" in this way.

Q. But aren't there holes in the sandbox which makes applets insecure?

A. The Java "sandbox" has been rather carefully thought out, so there are no obvious holes which something like an applet virus might exploit. From time to time, inaccuracies in a particular implementation of the sandbox (for example, a particular version of a web browser) may be discovered. Typically, though, such holes are insufficient for a general-purpose attack (like a virus), and are fixed by the browser vendor pretty rapidly.

Q. So will the "sandbox" catch "Strange Brew"?

A. In theory, yes. The sandbox definition doesn't allow Strange Brew to work. In practice, all popular implementations of the sandbox (e.g. web browsers) prevent it, too. So the virus won't spread via web pages which contain Java applets.

Q. Does that mean I can't get infected?

A. No, it doesn't. If you receive (or download, or whatever) and run an infected .class file, you will become infected, in just the same way that you would become infected by using an infected EXE file, an infected diskette, or an infected DOC.

On the other hand, receiving and running an infected .class applet (for example, by browsing the web) will not infect your computer.

Paul Ducklin duck@sophos.com, Sophos Plc