Joebox

This was the first official Joebox concept.

See concept version 4.0
See concept version 3.0
See concept version 2.0

Introduction

A sandbox application is a system to detect and log the behaviour of malware. This application is completely invisible for malware. The log files can be used as example to learn more about the malware detection mechanism and to determine software exploits or to build removal tools.

One of the main problems of currently known sandbox applications is the fact that they are often used with a virtual machine. There are a lot of detecting mechanisms, such as the usage of special invalid opcodes or the detection of virtual hardware devices. In consequence hacker use these techniques to foil researchers and to slow down the detection and analysis of new malware.

Another problem is that the code of emulation software never will be bugless. Therefore there is a risk that malware could compromise the real system and influence the sandbox application negatively to modify or terminate it.

So why not use a real system instead of a virtual emulation software? Automatic behaviour analysis is easier to operate on a virtual machine, mainly because of the easy automatic restore opportunity. But this issue can be solved with a special hardware design.

With the introduction of the Windows Vista operating system, this system attracts more interest for hackers. Therefore it is important to analyse malware not only on Windows Xp but also on Windows Vista.

Design

Joebox application use a real computer system to analyse malware. The software part is composed of four main applications. Joeboxinjector is responsible to inject the analysing code into the target malware process. Also it communicates with the Joeboxsniffer. Joeboxhooker is a dynamic link libary which detour hooks and logs defined API functions. Joeboxsniffer implements a traffic network sniffer based on the Winpcap interface. Joeboxrestore's job is to rebuild the complete operating system after an analysis. These parts are distributed on the hardware as shown below:
The sandbox machine contains two harddisks both with a Windows Vista system installed and an optical device. The controller machine guides the Joeboxinjector application to execute a malware binary and injects Joeboxhooker into the started process. The controller machine is able to log the whole traffic between the internet and the sandbox network.

Hooking and Logging

Joeboxhooker uses a normal detour hooking technique. After an API function 5 bytes or more will be overwritten with a jump and some nops to a the logging code. A trampoline function restores the overwritten bytes and goes back to the original function. Joebox hooks only security relevant and interesting api functions. A complete list can be found on the samples page. To easily add more API function Joeboxhooker loads a second DLL.
If the malware process calls an hooked api syscall, Joeboxhooker will log all function arguments including the function name and will format it to XML. Joeboxhooker doesn't build an analysis report which is compromised to relevant information. At the same time Joeboxsniffer will capture and log the network traffic. The api log and the network traffic are the result of a successfull malware analysis.

Restoring

After a malware is analysed the system has to be restored. There are a lot of hardware solutions to restore a system after a reboot often called hd protector or hd guarder. But they all need extra drivers which are currently not signed by microsoft. So Joebox uses his one system restore concept. As explained the sandbox system has two harddisks with equal operation systems installed. To restore the original operating system Joebox boots from one system to the other and overwrite the complete system from a DVD-ROM or network device. Afterwards the next malware binary will be executed and analysed.

Conclusion

Joebox is an essential tool to analyse automaticly the behaviour of malware on Windows Vista operting systems. The modular desgin and whole concept is created to build a large secure application. With the XML based log files there are many possiblities to use the output for other applications. Joebox is completely written in C++ and can be simply extended.