Some antivirus vendors recommend against scanning inside archives to avoid a performance impact. This is because scanning the archive can mean the computer appears unresponsive or slow, but following this advice creates an opportunity for malware authors.
In the 4th quarter of 2012, Java exploits made their way to the top of the detection list in Microsoft’s Security Intelligence Report, suggesting that the malware authors may already be taking advantage of this.
When executing Java classes from within a Java archive, the class is extracted from the archive and decompressed into memory. By extracting the code and decompressing it in memory, there is no opportunity for “On Access” scanning to detect the malware using signatures in the same way as there is with many other executable file formats.
Other executable file formats are typically not decompressed into memory and executed, but rather, they are decompressed into a temporary file. This temporary file creates an opportunity for “On Access” scanning to detect the malicious code inside the archive while the file is being written to, or read from, the disk.
To exploit this vulnerability, malware authors can embed malicious code inside a Java archive where it will have an increased chance of evading detection by antivirus software.
The challenge for security professionals is that there’s often limited ability to “tune” their antivirus software to counter it. In many cases “On Access” scanning shares the same settings as “Scheduled” scanning.
Customers may well tolerant a performance impact for a scheduled scan at 3am, but they are far less likely to approve of even a 60 second wait for their Java application to start. At the moment, there seems to be very limited awareness of this potentially unwanted side effect.
Oracle and antivirus vendors will need to improve their solutions and options to counter this. While we wait, enterprises, individuals and security professionals are increasingly reliant on other technologies like host intrusion prevention or web and email gateway solutions, for protection.
Brad Ellis is the Managing Director at Ellis Network Associates.