Print
Close Window
From: www.itworld.com
Where is the Malware?
June 14, 2002 —
Only months after Java first appeared on the scene, one headline-hungry
pundit described Java as a "virus construction kit". History proves that
this pundit's prediction was dead wrong. To date, I am aware of viruses
for the Java platform: Strange Brew and Hive. Neither was viable in the
wild.
Others have written at length about why Java is a poor/difficult target
for malware authors:
* Java applications run in a virtual machine rather than on the
physical machine itself (a statement that hasn't been true in
quite some time).
* Java bytecode verification prevents untrusted code from subverting
the runtime environment.
* The Java security model prevents untrusted code from performing
dangerous actions.
Every one of these statements is true, and they all contribute to Java's
security in one way or another. However, they don't paint a complete
picture of the situation.
Sun originally targeted Java at set-top boxes. Later, it grafted Java
onto the browser. In both cases, Java's security infrastructure was
designed to address the security issues arising from the applet model of
code delivery. Unfortunately, applets and similar kinds of downloaded
code account for only a very small percentage of Java code in the field.
In addition, much of the malware causing problems today isn't viral in
nature. Instead, we suffer from Trojans like Back Orifice and Sub-Seven;
application level (not platform level) flaws that permit access to the
machine on which the compromised application runs (IIS is an excellent
example of many such flaws); and even applications that are insecure by
design (I'm thinking here of the recent spate of spyware infected
tools). If these examples include a viral component, it is only one part
of the overall plan.
In my opinion, Java is as good a platform and language for malware as
any other. True, Java's design prevents some common modes of attack,
such as buffer overflow exploits, but it preserves many others. I think
Java's immunity from malware can best be attributed to what I call the
Linux effect. Linux-based systems have advantages over Microsoft Windows
systems in terms of malware resistance, however their biggest advantage
is the relative popularity of Microsoft Windows over Linux on the
desktop. Computer viruses thrive when they have many potential hosts to
exploit, just as do their organic counterparts. Malware authors are
certainly aware of this fact.
ITworld