The first Java virus has just appeared: "Strange Brew". Here are
some questions and answers about the virus.
Q. I thought Java viruses were impossible?
A. Java is a programming language. One of its goals is to help
programmers write programs with fewer errors by avoiding the sort
of "total low-level control" that a language like C gives to the
programmer. One side-effect of this it is rather more complicated
to write a virus in Java than it is to write a virus in C or in
assembly language. It is not, however, impossible to write Java
viruses, as "Strange Brew" demonstrates.
Q. So how does "Strange Brew" work?
A. When an infected program (a Java .class file) is run, it
looks for other, uninfected .class files in the user's current
directory. The virus then copies itself into these files, modifying
them so that when they are run in future, the virus receives
control first. There is no explicit warhead built in to the virus,
but (probably because of the complexity of manipulating .class
files) it contains bugs which cause it to damage some of the files
it infects so that they no longer run properly.
Q. But I thought Java was secure?
A. Programs written in Java have one of two forms: applications
or applets. Java applications are like applications written in C,
or Pascal, or BASIC, and can do the things that you would expect
applications to do. After all, an application such as a word
processor which could not save files to disk or write to the
printer would be of little use. In other words, a Java application
can perform operations that could compromise security.
Java applets are different, in that they are run by another
application (such as a web browser) which is responsible for
executing them in a secure environment, often called a "sandbox".
When running in this sandbox, any Java operations which might
compromise security are disallowed -- in theory, at any rate.
Broadly speaking, applets are secure; applications may
not be. When you visit a Java-enabled website, you are downloading
and running applets. So, broadly speaking, you can't catch "Strange
Brew" in this way.
Q. But aren't there holes in the sandbox which makes applets
insecure?
A. The Java "sandbox" has been rather carefully thought out, so
there are no obvious holes which something like an applet virus
might exploit. From time to time, inaccuracies in a particular
implementation of the sandbox (for example, a particular version of
a web browser) may be discovered. Typically, though, such holes are
insufficient for a general-purpose attack (like a virus), and are
fixed by the browser vendor pretty rapidly.
Q. So will the "sandbox" catch "Strange Brew"?
A. In theory, yes. The sandbox definition doesn't allow Strange
Brew to work. In practice, all popular implementations of the
sandbox (e.g. web browsers) prevent it, too. So the virus won't
spread via web pages which contain Java applets.
Q. Does that mean I can't get infected?
A. No, it doesn't. If you receive (or download, or whatever) and
run an infected .class file, you will become infected, in just the
same way that you would become infected by using an infected EXE
file, an infected diskette, or an infected DOC.
On the other hand, receiving and running an infected .class
applet (for example, by browsing the web) will not
infect your computer.
Paul Ducklin duck@sophos.com, Sophos Plc
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.