Product Highlight: FireEye Malware Analysis Appliance

Malware Forensic Module: FireEye Malware Analysis Appliance

The FireEye Malware Analysis System (MAS) gives threat analysts hands-on control over powerful auto-configured test environments where they can safely execute and inspect advanced malware, zero-day, and targeted APT attacks embedded in common file formats, email attachments, and Web objects. With advanced instrumentation, the FireEye Virtual Execution (VX) environments provide forensic details on the exploit, such as the vulnerability exploited to create a buffer overflow condition, attempts to escalate privileges within Windows, and the callback coordinates used to infiltrate data.

When threat analysts need a secure environment to test, replay, characterize, and document advanced malicious activities, they can simply load a suspicious file or set of files into the FireEye MAS’ VX engine. As it analyzes files such as suspicious email attachments, PDF documents, or Web objects via a URL, the MAS reports a full 360-degree view of the attack, from the initial exploit and malware execution path to the callback destinations and follow-on binary download attempts.

MAS Highlights

Provides pre-configured sandbox or live-mode analysis for unknown code and suspicious Web objects – Supports single and batch testing with a range of browsers, plug-ins, applications and Windows operating environments, looking for any sign of unusual activity and any attempt to exploit a vulnerability.

Automated or batched analysis of zero-day attacks – Using the VX engine, it detects and stops advanced targeted attacks using malicious images, PDFs, Flash, or ZIP/RAR/TNEF archives.

Identifies outbound malware transmissions across multiple protocols – Shows how malicious code plans to steal data, control bot activities or communicate multistage operations using HTTP, FTP, or IRC, revealing the intent of the malicious software.

Dynamically generates malware intelligence – Captures details such as callback coordinates and communication characteristics to protect locally and share globally through the cloud.

Integrates with Web, Email, and File MPS via CMS – All new malicious content uncovered using the MAS can be pushed to the Web, Email, and File MPS for real-time protection against emerging attacks.

Streamlines analysis – Lets analysts drill into samples to confirm attacks and understand the intent and targets of the criminals, without the overhead of creating and maintaining test configurations.

Supports YARA-based rules – Enables information security analysts to specify byte-level rules and quickly analyze objects for threats specific to the organization.

Supports third party anti-virus and AV-Suite integration – Malicious objects that anti-virus can also identify can be linked to the deeper forensic information provided in the MAS for more efficient incident response prioritization.

The FireEye Malware Analysis appliance can act on any of the following inputs:

•    An URL pointing to a file located on the Internet. HTTP, HTTPS, FTP, and SFTP URLs are supported. Such an URL is referred to as a malicious-file-URL.
•    A file located on a desktop.
•    A list file containing URLs that point to files on the Internet.
•    Files placed in a network-shared repository.

Choose sandbox or honeypot analysis modes

In sandbox mode, researchers can witness the execution path of particular malware samples as well as generate a dynamic and anonymized profile of the attack that can be distributed through the CMS to other FireEye Web, Email, and File Malware Protection System (MPS) appliances. Malware attack profiles include identifiers of malware code, exploit URLs, and other sources of infections and attacks. Also, malware communication protocol characteristics are shared to provide dynamic blocking of data exfiltration attempts. In addition to sandbox analysis, FireEye offers a live, on-network “honeypot” mode for full malware lifecycle analysis. Today’s advanced malware circumvents traditional security by unfolding in multiple stages. The first vulnerability exploit stage simply establishes a beachhead for criminals. FireEye integrates inbound and outbound inspections across multiple protocols for comprehensive threat analysis of OS, Web, email, and application threats that attack across multiple vectors.