The Java virus. Yes. It’s true. It’s out. I’m not the first to have written a Java virus, but I’ve definitely written one of my own.
When it came about, Java was a leap forward from previous technologies. Not to say the ideas in Java were new–Xerox PARC had pioneered a lot of the ideas and personally I loved Smalltalk’s syntax and conciseness better. Java was just the right mix of robustness and utility that a technology needs to catch on.
The design of the Java Virtual Machine in and the dedicated class file format were meant to make it drastically more difficult to write computer viruses for the platform. Unlike conventional file formats, the class file is structured such that any attempt to move things around can easily destroy its integrity. Skipping parts of the class file is very difficult because there are no file offsets, like in conventional executables. The constant pool structure is a heterogeneous collection of objects having different sizes. Moreover, the virtual machine is very robust and can employ well defined security policies. Not to mention direct memory access, which is not available to Java programs. Entry points are well defined and signatures of functional blocks may not be changed.
All these concur to make Java programs a very unattractive destination for parasitic programs. But the promise of “run anywhere” and the wide embrace by the community may convince a few to go about writing a virus. This is what convinced me, in August of 2002, to give it a try. My goal–to write a Java class file parasitic infector capable of spreading on its own. I stopped somewhere in the middle though, and for a few years I forgot about it.
I gave it another try in 2005, but by then I had become busy, no more a student with no job worries. It took another two years for things to start moving. To effectively complete the virus, it required an important preprocessing step, and I had not written the tool for this task too well. Using Java 5, I quickly reimplemented a lite version of the tool, but things stopped here. I completed the tool but stopped development of the virus.
In 2007, I decided to take what I had already written and put the dot at the end of the sentence. It proved hard, but it was worth it. The utility was largely functional but only an outline of the virus was written. Some code that calculates the length of instructions was there to use, but that’s about the most important contribution that the year 2005 had brought to the code, apart from the class file utility.
The virus became fully functional around April 2007, and I added enhancements that included a method name obfuscator a later time. May of 2007 is a good date to consider the virus wrapped up. Unlike its predecessors, the virus has a strong requirement to have a minimum of bugs.
Let’s see details about this virus in the second part of this series.
Post a Comment