Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Review: FireEye fights off multi-stage malware

David Newman | May 6, 2014
You can't see some malware until it's too late. Sophisticated attacks arrive in pieces, each seemingly benign. Once these advanced attacks reassemble, the target is already compromised.

You can't see some malware until it's too late. Sophisticated attacks arrive in pieces, each seemingly benign. Once these advanced attacks reassemble, the target is already compromised.

FireEye takes a new approach to malware detection with its NX appliances. As this Clear Choice test shows, the FireEye device allows advanced malware to proceed but only onto virtual machines running inside the appliance.

In our tests, the FireEye appliance performed flawlessly. It detected all the multi-stage malware samples we threw at it, including some involving recent zero-day exploits. The top-of-the-line NX 10000 ran at speeds beyond 4Gbps in inline mode, and at better than 9Gbps in tap mode, both with and without attack traffic present.

The NX line fills a specialized niche, and complements rather than replaces existing security gear. It's not an IDS on its own, though the company is working on an IDS module. Even then, the NX 10000 won't be an all-in-one security device. Instead, it does one thing really well: It stops the most advanced forms of malware from passing into the enterprise.

This comprehensive protection doesn't come cheap. The high-end system we tested has a list price of around $420,000, plus service contract. But that's intended for 10G Internet links (which themselves are rather pricy), and it's aimed at enterprises protecting assets worth far more than a half-million dollars. For comparison, FireEye's entry-level NX 900 appliance works on 10-Mbit/s links and has a list price of $9,600.

+ ALSO ON NETWORK WORLD Free antivirus you can trust +

Anatomy of a threat

While automated attacks from script kiddies remain a nuisance, a far more serious threat comes from sophisticated multi-stage malware. Some of these so-called advanced persistent threats (APT) are state-sponsored; in other cases organized crime is involved.

Whatever the origin, there are at least three phases. First, the exploit stage uses a vulnerability to place a bit of code used in later stages. The vulnerability typically hides inside a seemingly benign file, such as a Flash object or Javascript in a Web page.

New attacks, especially zero-day vulnerabilities, are often seen during this stage.

Second, the exploit on the infected client then downloads the actual malware, though not necessarily in one piece. The "dropper" might come in multiple pieces from multiple sources, each obscured to hide its nature.

Third, the compromised system phones home to a command-and-control network that executes the malware. By now, the attackers control the target system; they have its data and a pathway to the rest of the internal network.

Conventional approaches to fighting malware have limitations in combating multi-stage malware threats. A signature-based system might detect the existence of a malware binary file, but only once it's been reassembled on the target and by then the target is already compromised. Newer sandbox systems stop traffic before it reaches target machines, but they may not be able to assemble and analyze all the constituent parts of a multi-stage attack. Indeed, a key step in some exploit kits is to "fingerprint" versions of the hypervisor, OS, browser, and plug-ins before deciding whether to proceed.

 

1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.