Yandex company blog

How Yandex protects against malware that spreads via Java applets

The internet is a megapolis. And just like any big city, it has some wonderful places – and others where it’s dangerous to go. Places where no internet user wants to ever find themselves in include:

  • Web sites that have been hacked and deliberately infected with malware. Simply visiting such a site can open the door for malicious codes to sneak into your computer.
  • False and scam sites that con unsuspecting visitors into revealing phone numbers or login details, prompt them to send costly text messages, etc.
  • Mobile redirections convincing users to install a false update or fake version of a popular program on their phone – and then send expensive text messages from the phone without the user’s knowledge.

Of the various kinds of internet dangers, infected sites are the most dangerous. Even the most popular sites are not safe from being hacked and infected, with the malware spreading to the user’s computer as soon as they open the web page. And even antivirus programs installed on the user’s computer aren’t always capable of fighting off the malware if it’s young enough to not yet be ‘known’ to the antivirus software.

To identify sites that have been compromised in various ways, Yandex checks more than 23 million web pages every day – and finds more than 4,000 that have been newly infected.

Currently, in more than two-thirds of cases, websites infect computers when users unwittingly download malicious Java applets – small applications included in web pages to perform some task within a larger program.

You’re not safe even if you update your browser regularly, or if your computer is running on an operating system other than Microsoft Windows.

The likelihood of a user’s computer being infected after visiting an infected site varies depending on which browser is used.


If you haven’t installed a Java virtual machine (which would protect against malicious code by running Java applets in the restricted ‘space’ of a simulated computer, instead of letting them loose in your actual computer), an infected site offers the opportunity to install its own version of this program complete with security flaws – then repeatedly attacks your computer.

To uncover sites that use this infection method, Yandex has introduced a technology for detecting malicious code for Java apps, which uses a ‘behavioural’ approach to malware detection. It is able to find encrypted malicious code, which exploits the currently most common vulnerabilities in Java Runtime Environment (JRE). This technology also alerts site owners and helps them remove malicious code.

Using its malware detection technology tuned to find suspicious behaviour of Java applets on websites, Yandex managed to boost the number of positive malware verdicts by 800% within less than two weeks after this technology was implemented in early February.

Within less than two weeks in early February, Yandex detected more than 4,000 sites that were using malicious Java applets. The combined pre-infection traffic on these websites was 1.5 million visitors a day (after infection, sites tend to lose 90 percent of their visitors due to warnings given by search engines, browsers and antivirus programs). 

The internet is international, so Yandex is on the lookout for infected sites all over the world. Just 10 percent of sites that we know to be infected are in the .ru, .tr, .su, .by, .ua and .kz zones.

Each day, Yandex shows 6 million to 10 million warnings about infected sites in search results and another 3 million to 4 million warnings in Yandex.Browser, as well as in Opera and Firefox browsers where Yandex.Elements is installed. It also helps “heal” sites in Yandex.Webmaster

To avoid infection, we recommend:

  • use current versions of software, and be sure to update Java and browser plugins;
  • disable the automatic launch of Java applets and let them run only on trusted sites;
  • use antivirus programs and keep up with regular updates of antivirus bases.