Pierluigi Paganini February 18, 2016

Researchers at Blue Frost Security firm discovered a flaw in the FireEye Virtual Execution Engine (VXE) that allows an attacker to completely bypass virtualization-based dynamic analysis and whitelist malware.

Security researchers at Blue Frost Security have found a high severity vulnerability in FireEye products that allowed an attacker to bypass the company’s detection engine and temporarily whitelist malware.

The experts reported the flaw to FireEye in September 2015, the company promptly patched the issue and released  and an update of the FireEye Operating System (FEOS). FireEye also requested Blue Frost to wait until mid-February to disclose the flaw because many customers had still not applied the updates.

The flaw resides in the FireEye’s Virtual Execution Engine (VXE), a crucial component of the defense solutions that performs dynamic analysis on files. The component is used is several products of the FireEye portfolio, including the FireEye Network Security (NX), the Email Security (EX), the Malware Analysis (AX), and the File Content Security (FX).

Every time the FireEye’s Virtual Execution Engine analyzes a binary present on a Windows machine it copies it into a virtual machine with the name “malware.exe.” Before the file is analyzed, the engine executes a script to copy the binary to a temporary location and rename it to its original filename.

The experts discovered that the software doesn’t sanitize the original filename allowing an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script.

“FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from “malware.exe” to its original file name.

copy malware.exe "%temp%\fire_in_the_eye.exe"

No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.” states the security advisory from Blue Frost.

“Let’s take the filename FOO%temp%BAR.exe which results in:

copy malware.exe "%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe" The filename, directory name, or volume label syntax is incorrect. 0 file(s) copied.

The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.”

The batch script attempts to execute the file in the virtual machine monitoring for malicious behavior, but the filename is invalid and causes the failure of the copying operation. As result, the file is no longer executed and the engine is no able to detect malicious activity. At this point, the Virtual Execution Engine considers the file clean and add its MD5 hash to a whitelist of binaries that have already been analyzed and that will no longer be analyzed until the next day.

“Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.” Blue Frost Security said in its advisory. “This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address. Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”

FireEye is one the most important firm in the security industry and immediately worked on the development of a security patch (FX 7.5.1, AX 7.7.0, NX 7.6.1 and EX 7.6.2) which have been already released.

“FireEye encourages all customers to update their systems to the latest released version where noted below. FireEye has issued maintenance releases and fixes for all security issues contained within this advisory. ” states the company.

FireEye confirmed that it has not seen any active exploits of the evasion technique against its customers.

Pierluigi Paganini

(Security Affairs – FireEyed, Virtual Execution Engine)