malware detection using advanced behavior analysis
TRANSCRIPT
Copyright (c) 2012, FireEye, Inc. All rights reserved. 1
Malware Detection using Advanced Behavior Analysis
Josh McCarthy, Sr. Solutions Architect
Copyright (c) 2012, FireEye, Inc. All rights reserved. 2
Multi-protocol Object Capture
FireEye Appliance Platform
MALWARE-VM FILTER
Multi-Protocol, Real-Time VX Engine
Virtual Execution Environments Phase 2
Phase 1 – Web MPS • Aggressive Capture • Web Object Filter M
ap To Target O
S&A
pps
Phase 1 – Email MPS • Email Attachments • URL Submission
Phase 1 – MAS appliance • User submissions • Batch mode processing
Copyright (c) 2012, FireEye, Inc. All rights reserved. 3
Sample Web Exploit
Pcap, and original object(s)
Copyright (c) 2012, FireEye, Inc. All rights reserved. 4
DLL Entry Points
Signature-less detection of zero-day attack
Malicious binary download posing as JPG
Copyright (c) 2012, FireEye, Inc. All rights reserved. 5
Recent PDF Zero-Day Sleep Example
Tracking sleep call
Copyright (c) 2012, FireEye, Inc. All rights reserved. 6
MAS Object and Info Availability
Pcap, extracted files, clip, & original object(s)
Extracted C2 information
Full dynamic analysis information
Copyright (c) 2012, FireEye, Inc. All rights reserved. 7
FireEye Security Assessment
http://www.fireeye.com/stopapts
Copyright (c) 2012, FireEye, Inc. All rights reserved. 8
How to Detect Advanced Malware
• Implement automated behavior analysis of inbound network traffic using virtual analysis techniques – Analyze multiple version of Adobe files and Microsoft Office files – Java exploits – DLL injects – Heap spray attacks
• Implement automated mechanisms to discover Call-back Channels via behavioral analysis
• Implement automated dynamic behavior analysis mechanism to evaluate email attachments and URLs to identify and protect against targeted spear phishing attacks
Copyright (c) 2012, FireEye, Inc. All rights reserved. 9
FireEye Advanced Malware Protection