Writing malware in java?

Java code can invoke native code (e.g. code written in C or whatever, and compiled to a sequence of CPU opcodes) through a standard interface. Java can actually write a DLL file somewhere (as a bunch of bytes) and load that, so everything native code can do, so can Java.

Java also features a rich standard library which allows it to read and write files in arbitrary ways.

The hard parts for Java-based malware are:

  1. A Java VM is needed. Java is not installed by default in many modern operating systems.
  2. The Java VM tends to sandbox Java applets. To run native code or access arbitrary files, a Java applet must ask for permission, which entails digital signatures and certificates which may be tracked back to the perpetrator. Or a specific sandbox escape bug must be exploited; such bugs are discovered regularly, but they are also patched with commendable alacrity.
  3. The existing Java VM implementations are fat. They are optimized for big applications which will use lots of RAM anyway, so any Java code has a large minimal memory footprint. Malware usually prefers inconspicuousness.
  4. Java VM implementations come with extensive debugging tools which allow plugging into a running VM and inspecting what happens in it. This may help in cleansing a Java-based malware infestation.

These are reasons why Java will not look as the best language ever to malware writers. Also, even if Java is nominally portable, cross-platform malware is an elusive goal, because malware tends to do things at a quite low level -- that is, a level which is very OS-specific. Modifying the /etc/passwd file is a very naughty thing to do on a Unix-like system; but it would have no impact at all on Windows, which does not have an /etc/passwd file. Thus, there is little incentive for malware authors to use Java.

(All of this would apply almost unchanged to a question about writing malware in C#/.NET + SilverLight.)


Malware comes in so many shapes and sizes, this question is difficult to answer. Writing malware in Java is as easy as;

(new File("/path/to/important/file")).delete();

Could I write a java application that steals your data? Easily. Could I write a Linux rootkit in Java? Almost certainly not, but that doesn't stop me doing all the things that I can do with whatever permissions the JVM is running with.

So in that sense, yes you can write malware in Java, but you would be somewhat more limited than if you were writing in a systems language like C; a keylogger is much harder to write in Java than in C, and hiding it well is probably impossible.


Maybe you're misunderstanding what was meant when you heard that java was more secure. Did they mean that your application is more secure or that malware cannot be written in this language?

In the past a number of vulnerabilities in the java api have been discovered (and since patched) that allowed a java program to execute malicious code without the user's consent. This often happens via applets since many browsers enable java.

See the CVE database where you might find some previous java vulnerabilities.

However perhaps those people meant that your applications can be written to be more secure from hackers. In this sense it is partially true. For example java applications (usually)cannot be exploited via buffer overflow attacks since the stack is managed by the jvm. I think this is what was meant when you were told java is more secure.

Here is some more information about why programming in java might be secure.

Tags:

Java

Malware