Joebox

This concept is the sixth revision which is most advanced. It adds a better restore solution and new possiblies to extend Joebox.

See concept version 5.0
See concept version 4.0
See concept version 3.0
See concept version 2.0
See concept version 1.0

Introduction

A sandbox application is beside other uses a complex automatic system to capture the runtime behaviour data of malware. The behaviour data which is mostly a system call trace can be used mainly in four different areas. Please have a look at the vision section to get a detailed view of these areas.

Motivation

To evade analysis hackers try to write malware which is able to distinguish during exection between a normal end user system and a malware analysis system. There are many known detecting and evasion mechanisms around, such as the usage of special invalid opcodes or the detection of used hardware devices by using for instance the CPUID which are used successfully to avoid runtime analysis. Moreover hackers add sandbox evasion features to packers and crypters which results in a higher degree of malware samples which is able to bypass malware analysis systems. Therefore it is a really big challenges to build an analysis system which is hard to evade, respectively to detect.

Another big challenge, beside the detection problem is malware which uses techniques to slow down the automated analysis. Hackers insert often a piece of code into malware binaries that will set on only a malicious function when specified conditions are met. An example is malware which only interacts with his command and control server on a certain date or a malware installer which needs some user interactions to get installed.

With the exponential increase of malware the automatic analysis system should analyse malware efficiently.

Next the system should be able to analyse malware on new operating systems like Windows Vista which gets more and more attractive for hackers.

Our motiviation is to build, maintain and extend a malware analysis systems which solves these challenges. Therefore we have builded Joebox in 2003. Joebox have been continuously improved. The latest concept is described in the next sections.

Design

Joebox uses two real computer systems to analyse malware with a high degree of completeness. The software part is composed of seven main applications.



Joeboxclient builds the entrypoint of the analysis systems and communicate through Joeboxserver with the analysis machine, where the malware is executed. Joeboxserver coordinates Joeboxcontrol to handle Joeboxdriver, the system call trace engine. Joeboxhide protects Joeboxserver and Joeboxcontrol from being manipulated through malware. Joeboxabstract is responsible to convert and abstract call traces to human readable analysis reports. To analyse more than one binary at once Joeboxclient is able to communicate with multiple analysis machines. Joeboxscriptbuilder handles submitted AutoIt scripts which are used to control Joebox and to simulate user interactions. Tshark is used for sniffing the network traffic. For the different tasks Joeboxserver and Joeboxclient are using plugins. For instance Joeboxclient controls FOG through a plugin which can be exchanged through another one which controls a different cloning solution.

Scripting

Joebox accepts in addition to a malware binary a AutoIt script. Through AutoIt you are able to simulate user interactions, change the environment or control Joebox completly. For instance you can start or stop the sniffer or system call tracer. You can modify the analysis status to analyse existing server processes or drivers. Also you have to possiblity to reboot the system or restore it to predefined state by using scripts. Furthermore scripting gives you the ability to act quickly to prevent the analysis system detection by applying for instance randomisation of environment values. A list of all commands to control Joebox can be found here. Some advice how to use these commands on the online system you find here.

Behaviour Baselines

Joebox has the unique feature to create and compare behaviour baselines controlled through the AutoIt scripts. A baseline is set of behaviour data. The behaviour of a baseline A can be subtracted from baseline B. This technique let you remove uninteresting behaviour data and focus on the interesting part. For example if you want to analyse a malicious PDF exploit you first build a baseline of the behaviour data of running Acrobat Reader with a clean PDF document. Afterwards you run the malicious PDF document which is stored in another baseline. Finally the clean behaviour is subtracted from the malicous one. As a result you get only malicious behaviour. Please have a look at a sample script demonstration baseline subtraction.

System call tracing

The system call tracer Joeboxdriver use currently a dynamically configurable SSDT and EAT Hooking to capture system calls. It is necessary to use a kernelmode technique instead of a usermode mechanism because it is very easy to evade analysis if the hooking environment and the malware acts on the same system level. So fighting with hooks in usermode against usermode malware is a bad idea and to fight against kernelmode malware is impossible. Joeboxdriver is able to capture calls from usermode and kernelmode malware. To improve the kernelmode analysis we are working a thin hypervisor.

Image restoring

Joebox uses the imaging solution FOG to restore the system state after a malware has been analysed. FOG uses PXE to boot a Linux kernel which then restores the complete disk to a previously stored state. Although restoring the complete disk takes time this concept has the advantage that it is nearly impossible for malware to survive the restoring. Software restore solution like DeepFreeze or RollbackRx can be bypassed by either accessing the disk controller more deeply which a malware called MachineDog already has proved or by disabling the solution. Through FOG it is further possible for Joebox to analyse malware on different operating systems.

Conclusion

Joebox is an essential tool to analyse automaticly the behaviour of malware on Windows Vista and Windows XP. The modular architecture, the configurability and whole concept is created to build a large, efficicent and customizable runtime analysis system. With the basic CSV report files there exist many possiblities to use the output for secondary applications. With AutoIt scripts you can simulate user interactions, modify the environment and control Joebox completely. This helps you to avoid logic bombs or to prevent the detection of the analysis system. By using baselines you can skip not malicious behaviour and focus on the interesting malware behaviour. Joebox is written in C++, Super C, C# and Java and can be simply extended.