[ prologue ]
Welcome to Strange Brew, an illustration of the security risks associated with the java class file specification. 

Once again Australian Virus Writers breakthrough with another major advance in the world of Virus Exchange. Just as Bizatch started the Win32 expansion of the industry, Strange Brew is hopefully destined to start the ball rolling on Java Platform infection process. 

Landing Camel International started research on this project in June 1998 and due to time constraints from University examinations and associated successive celebrations, as well as the Australian Ski Season, it was only completed in early August 1998. Whilst I have the opportunity I would like to say a big hello to all Australian virus writers both past and present and a big thankyou to my family for invaluable support through the years, further greetings are extended in the references. 

As an introduction to the material to be presented in this document, I would like to give some background on java with some extracts from the java virtual machine specification. 

'Java is a general-purpose concurrent object-oriented programming language. Its syntax is similar to C and C++, but it omits many of the features that make C and C++ complex, confusing, and unsafe. Java was initially developed to address the problems of building software for networked consumer devices. It was designed to support multiple host architectures and to allow secure delivery of software components. To meet these requirements, compiled Java code had to survive transport across networks, operate on any client, and assure the client that it was safe to run.' 

'The Java Virtual Machine is the cornerstone of Sun's Java programming language. It is the component of the Java technology responsible for Java's cross-platform delivery, the small size of its compiled code, and Java's ability to protect users from malicious programs.' 

As the extract above indicates, java is a simplified version of C/C++. Superficially, the main two differences are that there are no pointers, and routines/functions are called methods. The difference with most relevance to this document is the way in which sources are compiled into java binary class files. These are platform independent files that are made up of java byte-code instructions, requiring a special machine, known as the java virtual machine, to interpret these files for execution to take place. 

From the extracts above it should be apparent that the fellows at Sun are quite pleased with their creation. It has been this author's motivation to prove incorrect the statement that the java virtual machine is able 'to protect users from malicious programs', proving that the 'cornerstone' of java and thus also the language itself are both fatally flawed. Another motivation also being to open the world of java platform infection to the virus community. 

This document seeks to expand the minds of any programmer interested in the java virtual machine or virus writing in higher level languages. Unlike other platforms where assembly language is the basis for any program and thus the language of choice for virus writing, Sun has not specified a java assembly language format and thus programming for the virtual machine in any language other than java is rather difficult. For those who are interested there have been two implementations of a java assembly language, links to which have been supplied in the references section. I have avoided the use of java assembly language programming in this text in an aim to keep the bulk of the information as simple as possible. 

Java has been around for some years now without any real challenge to security aspects of its design. A small group of people has attempted to bring to Sun's attention the flaws in their specification yet there has been no action on these queries. A person who has taken great interest in the subject is Mark La Due whose Hostile Applets Site was invaluable to this author in getting started on the issue of java platform infection. (This site also contains information on cracking java programs as well as other topics - I definitely recommend visiting.)

One of the benefits of the java binary class file is in its ability to be truly platform independent, thus java viruses can infect all of the following operating systems: linux, unix, windows NT, windows 9x, windows 3x, etc. However, the great disadvantage of the java platform is that infection is restricted to applications only or applets that are also applications. Java platform infection is unable to occur in class files that are being executed in a browser's or any other security restricted virtual machine. This is caused by the inability to access file handling methods,etc. from within these limited machines. It is still possible to infect applets however Security exceptions will undoubtedly be thrown by the virtual machine during execution.

To comprehend this document fully it is recommended that the reader be competent in atleast one higher level language such as Pascal,C,Python,Eiffel etc. The necessary tools required to maximise the utility of this text are as follows: 

  • Sun's Java Development Kit
  • Sun's Java Development Kit Documentation
  • Sun's Java Virtual Machine Specification
  • Sun's Java Language Specification
  • A binary file editor (hex editor)
With these tools at your command it is time to venture forth into the fascinating realm of the java virtual machine.