December 2010

Modern Malware What’s Next?

Modern Malware: What Happens Next?

By: Ashir Aziz, FireEye Inc.

Today’s malware is not yesterday’s virus. The anachronistic concept of protecting information with an outdated technique, such as signatures, has left many businesses and consumers vulnerable to attack. Signature-based technologies like IPS and antivirus software, both within perimeter and endpoint solutions, are ineffective against the rapidly evolving, blended threat of modern malware. To be effective, anti-malware solutions need to be intelligent enough to analyze network traffic and processes, rather than just comparing bits of code to signatures or lists.

Heuristic, or behavioral, analyses are an encouraging development, but too inaccurate to function as standalone security mechanisms. This methodology augments an anti-malware solution’s signature protections, but at the same time increases the likelihood of false positive alerts. Modern threats are comprised of attacks on multiple fronts, exploiting the inability of conventional network protection mechanisms to provide a unified defense; as soon as one vulnerability is defended, network attacks quickly shift to another.

The sheer volume and escalating danger of modern attacks are overwhelming limited IT resources and outmaneuvering conventional defenses. For most enterprises, conventional network connection-oriented and software-based defenses are inadequate because of the gaps they leave in security coverage, but trying to integrate conventional defenses from multiple vendors is far too complicated and costly of an undertaking for an enterprise IT group.

The only viable solutions are those that provide thorough coverage across the many vectors that are used in attacks and that can keep pace with the dynamic nature of modern attacks. Defending corporate networks from modern malware threats requires new protections that function across any protocols and throughout the protocol stack, including the network layer, operating systems, and applications.

In order to address these modern threats, a real-time, dynamic, and accurate analysis capability is critical. Rather than relying on signatures and lists, we must be able to dynamically learn new vulnerabilities, exploits, and techniques in real time, and then prevent system compromise and data theft.

To meet these requirements, we have developed a modern malware protection solution that delivers accurate analysis for zero-day, targeted attacks—without using signatures. Without prior knowledge of exploits or application- and OS-level vulnerabilities, it identifies targeted, stealth malware using a multi-phase analysis engine described in detail below. In addition, our solution provides deep packet inspection of outbound communications across multiple protocols to identify and block infected systems from communicating valuable data out to criminal servers.

Our method to provide real-time, dynamic protections against zero-day, targeted modern malware is a multi-stage inspection engine that combines heuristic analyses with deep packet inspection within instrumented virtual machines. Phase 1 is a set of aggressive capture heuristics used to identify suspicious network activities. As we stated previously, aggressive heuristics used in isolation will generate a high rate of false positives. However, output from phase 1 flows into phase 2, the confirmation stage. In phase 2, network traffic flows are replayed into virtual machines, or VM for short, to validate if the traffic is indeed attack exploit code.

These virtual machines act as a Petri dish of sorts, confirming whether or not suspicious code actually infects a system while also eliminating false positives. Now, aggressive heuristic policies can be set to flag even mildly suspicious network traffic with the understanding that the subsequent VM malware analysis stage would confirm the actual attack traffic as well as eliminate any false positives. By combining a system that minimizes missed attacks with a system that eliminates false positives, we can approach our ideal analysis engine; namely one which does not miss zero day attacks nor produce false alerts. This multi-stage analysis also enables the programmatic capture, fingerprinting, and blocking of zero-day malware and its unauthorized outbound callbacks to criminal command and control servers.

Malware Attack Image

Global Sharing of Local Malware Intelligence
In order to share the benefits of the real-time malware intelligence gathered by the local analysis engines, we have built a worldwide network to distribute the auto-generated security intelligence about modern malware and its covert call-back channels. As more organizations opt-in to our Internet cyber crime watch, the latest intelligence on inbound attacks and unauthorized outbound communications could be shared in real-time to prevent data exfiltration, alteration, and destruction.

FireEye has significantly advanced the state-of-the-art for malware protection, and has now made it possible to accurately stop modern malware in real time. With inbound attack detection and outbound malware transmission filtering as well as a global security information network, administrators have a clientless solution that is easy to deploy and maintain to provide advanced protection against today’s modern threats. We are hopeful that the next few chapters of modern malware will be a story of how organizations regain control of their network resources and computing assets. It is more important than ever to secure our network infrastructures from cyber criminals especially as our everyday activities increasingly rely on a safe and stable network.

For more information on modern malware and how to prevent security issues, please visit: