Fireeye’s Security Software Vulnerability could let Malware be Whitelisted

Security investigators from Blue Frost Security have unearthed one vulnerability which if exploited could let cyber-criminals' malware programs get past the analysis engine of FireEye as well as ultimately whitelisted. FireEye performs its analyses dynamically through virtualization operable on Windows. For sometime, cyber-criminals were appending random binaries into the organization's binary whitelist so that those malicious binaries' analyses could get ignored till after 24-hrs the whitelist entries were erased.

The vulnerability existed in FEOS (FireEye Operating System) loaded onto the company's network security devices. More specifically, it impacted VXE (Virtual Execution Engine) of the OS. The VXE is one virtual machine for Windows which stays active within FEOS and gets utilized for examining dubious files which navigate via the OS.

Moritz Jodeit, researcher at Blue Frost Security explains that FEOS' working involves making a replica of the dubious file onto VXE while naming the replicated file "malware.exe" that is subsequently renamed, with the aid of batch script, to the earlier name. As a result, the cyber-criminal becomes able in whitelisting his binary. He may afterwards utilize the whitelisted binary giving it a random file-name during the next assault.

The original binary which got implanted onto its filename an environment variable could for instance get concealed within one zipped archive along with many more harmless files, as also dispatched onto one credulous e-mail id. If the zipped archive is downloaded alternatively dispatched through electronic mail only once, the implanted malicious program's MD5 hash would get whitelisted as well as the cyber-criminal might then use the binary while giving it a random file-name devoid of identification.

Blue Frost notified the problem to FireEye during mid-September, and in mid-October FireEye issued all its affected software's patched editions. Following FireEye's request, the vulnerability's knowledge has been publicized just recently, as the majority of the company's customers hadn't still made their vulnerable editions up to date.

The software items of FireEye which got impacted along with the FEOS editions which rectified the respective problems are FireEye Malware Analysis -AX (7.7.0), FireEye File Content Security -FX (7.5.1), FireEye E-mail Security -EX (7.6.2), and FireEye Network Security -NX (7.6.1).

» SPAMfighter News - 2/24/2016