I’d been hearing some buzz around FireEye on the security mailing lists and such, but with most of the the constant influx of “new security product” info I’d been ignoring it. Now I’ve seen it in action at some of our clients’ sites and I’m impressed with it.

The essence of the FireEye product is different from every other security appliance or software out there. The FireEye appliance has a stack of virtual machines including many flavors of Windows operating systems and many targeted applications like Java, Adobe, Windows media, and Office. The FireEye sniffs HTTP traffic off the wire, and takes anything that looks like it could be suspicious code and tries to execute it within the applications and operating systems in its virtual machines.

There are other ways the FireEye detects malware, but this key one is really powerful: 

• It is not based on signatures, so it can detect completely new malware.
• Looking at what the payload does to the victim virtual machines gives the FireEye a really low false positive rate.
• The FireEye infection report contains the network packet capture, the actual binary that was transmitted, and a description of the changes it would’ve tried to make to infected hosts.

FireEye has built their solution around this functionality to detect malware at multiple points:

Initial Exploit/Drive-by downloads – If a user clicks on a link or otherwise gets malicious software from a web site, the FireEye will detect the malware in the HTTP network traffic.

Phishing/SPAM attachments  - FireEye also has a product that sniffs your email traffic stream and does the same “execute the anything suspicious in virtual machines” analysis on it.

Callbacks- Most Trojan software today installs via a two step process.  The first step is the initial infection, which is a small package who’s only function is to compromise the host and then download more malware.  This second step of downloading more malware is called a callback.  If the FireEye misses the initial exploit/infection (maybe it came in through an infected thumb drive or when the user’s laptop was on the wifi at Starbucks) the FireEye will still often catch callback activity.

BotNet Command and Control – So my first question was – what if the infection is already there and not doing any more callbacks?  Well FireEye is using a technique similar to many other products to detect these infections – as they sniff traffic they are also looking for signatures of command and control traffic (based on things like protocol, destination IP, etc.)  How they are a little different here is that their “looks like botnet traffic” signatures are built using the databases of infection/malware activity data they gather from all the installed instances of the FireEye appliance – when a FireEye detects a new, unknown piece of malware by executing it in a virtual machine it reports back to the cloud exactly what that malware does, including a signature for its C&C traffic. 

My favorite things about the FireEye solution

• It is easy to set up, and you set it up as a sniffer and not in-line, so doing a demo or using it during a vulnerability assessment engagement is really easy.
• I’ve seen it detect installed malware at companies that are running up-to-date antivirus and are otherwise pretty locked down.
• They have a version of the appliance that you can use for malware analysis
• If you install it you can get a great increase in confidence that your workstations aren’t infected with very little end user impact.

My least favorite things about the FireEye solution

• It only does the malware code detection on HTTP and SMTP today.  Malware that used SSL for the exploit and callbacks would only potentially be caught by C&C traffic signatures.
• As it gets more popular, there is a chance malware writers will begin to modify their malware to detect and fool the FireEye similar to the way malware authors try to detect and fool VMWare Honeynets today.

Even with those possible drawbacks, FireEye’s product is one of the best solutions I’ve seen for detecting compromises of corporate workstations today.

Contact us for more information on how to deploy FireEye in your network.