FireEye Detection Evasion and Whitelisting of Arbitrary Malware

An analysis engine evasion was identified which allows an attacker to completely bypass FireEye's virtualization-based dynamic analysis on Windows and whitelist arbitrary malicious binaries.

Vendor  FireEye, 
Affected Products  FireEye FX, AX, NX, EX
Affected Versions  FX < 7.5.1, AX < 7.7.0, NX < 7.6.1, EX < 7.6.2
CVE-ID  n/a
Severity  High 
Author  Moritz Jodeit (@moritzj), Blue Frost Security GmbH 

I. Impact

The analysis engine evasion allows an attacker to completely bypass FireEye's virtualization-based dynamic analysis on Windows and add arbitrary binaries to the internal white list of binaries for which the analysis will be skipped until the white list entry is wiped after a day.

II. Technical Details

FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from "malware.exe" to its original file name.

copy malware.exe "%temp%\fire_in_the_eye.exe"

No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.

Let's take the filename FOO%temp%BAR.exe which results in:

copy malware.exe "%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe"
The filename, directory name, or volume label syntax is incorrect.
        0 file(s) copied.

The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.

Afterwards the behavioral analysis inside the virtual machine is started which is running for a certain amount of time looking for malicious behavior. Since the binary was not started in the virtual machine in the first place, an empty virtual machine will be analyzed and no malicious behavior will be detected.

Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.

This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address. Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.

III. Mitigation

FireEye released updated FEOS versions which fix the described issue. Customers should update to the latest version. Details can be found in the FireEye Q4 security advisory at:

2015-09-14  Contacted to request PGP public key
2015-09-14  Issue reported to 
2015-09-16  FireEye confirms receipt of vulnerability report
2015-09-21 FireEye contacts BFS to arrange an initial intake call
2015-09-30 Call between BFS and FireEye in which FireEye confirms the issue
2015-10-05 Release of fixed FEOS version for FireEye FX/AX
2015-10-15 Release of fixed FEOS version for FireEye NX/EX

Call between BFS and FireEye to discuss the current status. FireEye confirms that point fixes were released to their customers.

2015-12-31 FireEye Q4 security advisory about the issue is published
2016-01-14 FireEye asks to postpone the publication of the BFS advisory for another 30 days since the percentage of customers who have not yet updated is still too high.


Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall Blue Frost Security be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Blue Frost Security has been advised of the possibility of such damages.

Copyright 2016 Blue Frost Security GmbH. All rights reserved. Terms of use apply.