Copyright (c) 2012, FireEye, Inc. All rights reserved. 1

Malware Detection using Advanced Behavior Analysis

Josh McCarthy, Sr. Solutions Architect

Copyright (c) 2012, FireEye, Inc. All rights reserved. 2

Multi-protocol Object Capture

FireEye Appliance Platform

MALWARE-VM FILTER

Multi-Protocol, Real-Time VX Engine

Virtual Execution Environments Phase 2

Phase 1 – Web MPS •  Aggressive Capture •  Web Object Filter M

ap To Target O

S&A

pps

Phase 1 – Email MPS •  Email Attachments •  URL Submission

Phase 1 – MAS appliance •  User submissions •  Batch mode processing

Copyright (c) 2012, FireEye, Inc. All rights reserved. 3

Sample Web Exploit

Pcap, and original object(s)

Copyright (c) 2012, FireEye, Inc. All rights reserved. 4

DLL Entry Points

Signature-less detection of zero-day attack

Malicious binary download posing as JPG

Copyright (c) 2012, FireEye, Inc. All rights reserved. 5

Recent PDF Zero-Day Sleep Example

Tracking sleep call

Copyright (c) 2012, FireEye, Inc. All rights reserved. 6

MAS Object and Info Availability

Pcap, extracted files, clip, & original object(s)

Extracted C2 information

Full dynamic analysis information

Copyright (c) 2012, FireEye, Inc. All rights reserved. 7

FireEye Security Assessment

http://www.fireeye.com/stopapts

Copyright (c) 2012, FireEye, Inc. All rights reserved. 8

How to Detect Advanced Malware

•  Implement automated behavior analysis of inbound network traffic using virtual analysis techniques –  Analyze multiple version of Adobe files and Microsoft Office files –  Java exploits –  DLL injects –  Heap spray attacks

•  Implement automated mechanisms to discover Call-back Channels via behavioral analysis

•  Implement automated dynamic behavior analysis mechanism to evaluate email attachments and URLs to identify and protect against targeted spear phishing attacks

Copyright (c) 2012, FireEye, Inc. All rights reserved. 9

FireEye Advanced Malware Protection