Re: StrangeBrew - Java virus

Mikko Hypponen (Mikko.Hypponen@DataFellows.com)
Wed, 12 Aug 1998 19:33:27 +0200

Message-Id: <3.0.5.32.19980812193327.03ffc830@intra.datafellows.com>
Date: Wed, 12 Aug 1998 19:33:27 +0200
To: Li Gong <gong@games.eng.sun.com>
From: Mikko Hypponen <Mikko.Hypponen@DataFellows.com>
Subject: Re: StrangeBrew - Java virus
In-Reply-To: <199808121654.JAA29042@games.eng.sun.com>

Li Gong:
>I will be interested to have a look, though I do not have a PGP key.

Ok. I'm sure somebody in the Java security team has one or is able to
create one. You do understand that I can not transmit virus samples over
unsecure channels.

>It seems trivial that a Java application (running as trusted local
>code) can trivially create any file on the file system, so if the
>application carries the content of a .class file (of an applet) as
>data with it, then this application can put .class file on the disk.

Sure. There doesn't seem to be anything revolutionary in this sample, we
just have never seen such a thing. Have you?

And do note that it does not create new .class files, it searches for
existing .class files and modifies them to include a copy of itself. When
the "infected" .class file is executed, the virus gets control and then
passes control to the original code in the file. The viral code is insert=
ed
in the middle of the file and the header area is patched to make this wor=
k.

>But this is something done by a piece of trusted code, so this is
>nothing surprising. =20

Agreed.

>Did I misunderstand how your sample works?

Please! Do not discuss it as "my sample" :) Sounds horrible...

This file, Virus.class, was uploaded to our anonymous ftp server probably
by a virus writer or a vx groupie (as lots of traditional viruses are
uploaded like this to us every week).=20

No doubt, the virus writer will want to have lots of publicity for his
creation and probably will get it. I can already see the "JAVA VIRUS
FOUND!" headlines in, say, Wired magazine.

So I think you should have a look at this, even though it's not a big thi=
ng
technically. This way you can have an intelligent answer if the media
starts calling.

--=20
Mikko Hermanni Hypp=F6nen - Mikko.Hypponen@DataFellows.com
Data Fellows Group, PL 24, FIN-02231 Espoo, Finland
Telephone +358 9 859 900, fax +358 9 8599 0599
http://www.DataFellows.com/staff/hermanni/