Call a Specialist Today! 844-960-3901
Free Shipping! Free Shipping!

The Latest FireEye News
Product and Solution Information, Press Releases, Announcements

FireEye Highlights Importance of Multi-flow Analysis in Detecting Advanced Malware With Latest Report
Posted: Tue Apr 08, 2014 02:27:27 PM

Four New Techniques Uncovered for Malware to Evade Traditional, File-Based Sandboxing Technologies.

Milpitas, CA -- April 8, 2014 -- FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today announced the release of “Hot Knives Through Butter: Evading File-based Sandboxes.” Drawing from data uncovered in observing thousands of advanced attacks that avoided detection by signature-based security solutions and file-based sandboxing solutions, “Hot Knives” provides a look at how important contextual analysis within a hardened hypervisor has become in fighting advanced attacks.

“Stealth and evasion represent the basic tools of the trade for advanced attackers, and security professionals need to stay on top of the latest techniques to avoid becoming the next headline,” said Jon Oltsik, senior principal analyst, Enterprise Strategy Group. “Today, sandboxes are becoming a standard in security — but not all sandboxes are built alike. Knowing how sandboxes work and the evasion techniques deployed against them can help avoid a serious breach."

Originally released in August 2013, “Hot Knives” detailed 11 evasion techniques used by advanced persistent threats (APTs) and advanced malware to bypass configuration-specific, environment-specific, VMware-specific, and human interaction-based sandbox testing techniques. The four new techniques detailed in this latest version of the report include:

  • Use of malicious downloaders that take advantage of the fact that most file-based sandboxes are not configured with an internet connection, meaning their failed HTTP requests are detected, but not the malicious sites they point to.
  • Execution name of the analyzed file, whereby attackers have their code check for the predefined name sandboxes assign to files during execution and signal their malware to remain dormant to avoid detection.
  • Volume information detection whereby malware identifies the serial numbers of hard drives that are copied from one sandbox to the other and aborts the operation if the serial numbers match known sandboxes.
  • Execution after rebooting, whereby malware remains dormant until after a reboot to take advantage of the fact that sandboxes do not normally reboot.

“Today’s attackers have built techniques to bypass the use of virtualization and sandboxing in the enterprise for far longer than traditional security solutions have been designed to think about them,” said Abhishek Singh, senior staff research scientist engineer, FireEye. “Approaching security from the standpoint of monitoring activities without context around them is akin to navigating without a compass. With these latest techniques, it is more important than ever to look beyond the surface of what file-based sandboxing technologies can do.”

« Return to News List