FireEye flaw enabled attackers to whitelist malware files
Security bug allowed an attacker to invite himself to the party
Security researchers have uncovered a flaw that allows malware to dodge FireEye's analysis engine and end up whitelisted.
According to researchers at Blue Frost Security, the vulnerability allowed an attacker to “completely bypass FireEye's virtualization-based dynamic analysis on Windows and add arbitrary binaries to the internal whitelist of binaries for which the analysis will be skipped until the white list entry is wiped after a day”.
In a blog post, researchers said these binaries are examined by a Virtual Execution Engine (VXE). The malware is put in a virtual machine. But a bug in the Windows batch script used to copy and rename a binary before analysis allowed a hacker to stop the copy process, leaving the engine looking at a virtual machine with no malware in it.
As no malicious behaviour is recorded, its MD5 hash is added to a whitelist and no further analysis is carried out. This MD5 hash remains in the whitelist for 24 hours, allowing attackers a window to launch malware attacks that go undetected.
“This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack,” said Blue Frost researcher Moritz Jodeit.
“The initial binary with the environment variable embedded in its filename could, eg, be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address. Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”
Blue Frost advised FireEye customers to update their systems as soon as possible.
A spokeswoman for FireEye told SCMagazineUK.com that the bug had been reported to it in September last year by Blue Frost Security. She added that FireEye took “its products and its customers very seriously” and updated its products in the following month.
“We have not seen any active exploits of the evasion technique against customers, but highly urge customers to update to the latest FEOS as soon as possible to ensure they are secure. We greatly appreciate the innovative research that the security community brings us in order to protect our customers against advanced threats,” she said.
Chris Boyd, malware intelligence analyst at Malwarebytes, told SC that security companies spend a lot of money ensuring their products are as secure as possible, but there is always the possibility of finding a way to bypass protection.
“In these instances, a layered approach to security is best because the chances of someone managing to bypass all levels of your protection is rather slim,” he said.
Werner Thalmeier, security evangelist at Radware, told SC that bypassing virtualisation isn't new, and it's a known risk to all using such technology.
“It's definitely not easier for hackers to subvert security products – by definition security products are always made to be more secure and are more tested than any other product. I see this as a lucky punch from the attacker,” he said.
It shows that organisations should have multiple lines of defence in place to catch such malware – for example, tools on the desktop in case the gateway protection becomes comprised.