Fighting malware and spam

Reverse engineering and Java viral analysis

Daniel Reynaud-Plantey Army Signals Academy, Virology and Cryptology Laboratory, Rennes, France & Ecoles de Coëtquidan, Ecole Spéciale Militaire, Guer, France

Reverse engineering of Java class files is quite different from traditional reverse engineering and some of its particularities are very likely to be used by Java virus developers in order to make hostile code harder to analyse.

After a brief introduction to the bytecode format, the paper will show to what extent the Java reverse engineering differs from native code analysis. The second part deals with the way the bytecode can be protected from decompilers with a hands-on approach. The examples of code mangling and the generation of errors in decompilers could be used by virus developers to armour their malicious code, this is why these protections need to be studied as well as the possible ways to defeat them. The last part covers the ways to analyse the behaviour of Java viruses indirectly, by examining the code attached to their targets.

Reverse engineering is often used by crackers in order to bypass software security. But here it is considered as a powerful tool, which must be mastered in order to prevent Java viruses from spreading in a possibly near future.