Where is the Malware?

Only months after Java first appeared on the scene, one headline-hungry pundit described Java as a "virus construction kit". History proves that this pundit's prediction was dead wrong. To date, I am aware of viruses for the Java platform: Strange Brew and Hive. Neither was viable in the wild.

Others have written at length about why Java is a poor/difficult target for malware authors:

* Java applications run in a virtual machine rather than on the physical machine itself (a statement that hasn't been true in quite some time).

* Java bytecode verification prevents untrusted code from subverting the runtime environment.

* The Java security model prevents untrusted code from performing dangerous actions.

Every one of these statements is true, and they all contribute to Java's security in one way or another. However, they don't paint a complete picture of the situation.

Sun originally targeted Java at set-top boxes. Later, it grafted Java onto the browser. In both cases, Java's security infrastructure was designed to address the security issues arising from the applet model of code delivery. Unfortunately, applets and similar kinds of downloaded code account for only a very small percentage of Java code in the field.

In addition, much of the malware causing problems today isn't viral in nature. Instead, we suffer from Trojans like Back Orifice and Sub-Seven; application level (not platform level) flaws that permit access to the machine on which the compromised application runs (IIS is an excellent example of many such flaws); and even applications that are insecure by design (I'm thinking here of the recent spate of spyware infected tools). If these examples include a viral component, it is only one part of the overall plan.

In my opinion, Java is as good a platform and language for malware as any other. True, Java's design prevents some common modes of attack, such as buffer overflow exploits, but it preserves many others. I think Java's immunity from malware can best be attributed to what I call the Linux effect. Linux-based systems have advantages over Microsoft Windows systems in terms of malware resistance, however their biggest advantage is the relative popularity of Microsoft Windows over Linux on the desktop. Computer viruses thrive when they have many potential hosts to exploit, just as do their organic counterparts. Malware authors are certainly aware of this fact.