padlock sandbox
Quick Heal Technologies has discovered a new form of malware that can bypass sandbox-based gateway appliances. Reuters

An antivirus firm has uncovered a new strain of malware that can break through highly secure enterprise networks. This malware is capable of getting past sandbox-based gateway appliances, sold by companies like Fireeye and Fortinet, to land in unsuspecting email inboxes. Its discovery by security firm Quick Heal Technologies is set to kickstart a cat-and-mouse game between appliance vendors and malware makers.

That's bad news for companies depending solely on these appliances to keep their network secure. These solutions can run up to $500,000, and have so far been impenetrable. Farokh Karani, a director at Quick Heal, explained that these appliances are a new trend in a world looking to find the one solution to all security problems. "The latest magic bullet being touted is these sandboxing appliances," he said.

These appliances run virtual machines (VMs) with a variety of different browsers, operating systems, and configurations. VMs are sometimes used by consumers with apps like Parallels to run Mac on Windows. In this situation, VMs are used when an email arrives at the company. The appliance executes the code in these VMs to make sure there's nothing nasty hiding inside.

This new malware, known as APT-QH-4AG15, was able to find its way around the appliance, and analysis reveals that it contained several schemes to get around virtual machines and sandboxes. The malware was first picked up in the Philippines, targeting local financial institutions, but Karani warns that all sandbox-based gateway appliances are effected.

"Our initial findings have taught us that even the most advanced sandbox-based appliance protection can be breached," said Sanjay Katkar, CTO at Quick Heal. "As a result, enterprises need to consider and implement multiple layers of protection to safeguard their networks."

Karani explained that antivirus software inside the network was able to detect the malware, but this spells trouble for companies depending on the appliances for their complete security solution. "It's the flaw in approach of sandboxed appliances, if you're taking it to be the magic bullet to stop all malware from coming in," said Karani.

The reason why these appliances have been secure until now, Karani said, is because malware makers weren't targeting them. Instead, developers focused on attacking traditional servers and PCs, bypassing regular antivirus software.

"The best defense is layers of robust protection – from the network to the endpoints and across all mobile devices, with continuous updates made to ensure that all levels of protection are current," said Karani.

The company's report reveals that the file creation date is just over 10 days old. That means the starting pistol has been fired, appliance developers will need to keep up to date, and the myth that these appliances are a "magic bullet" solution is now suspect.