Joebox
Analyse your Malware on Windows simply and quickly
This concept is the second revision which is more customer oriented than the previous versions.
Furthermore it solves some problems which occured during the implementation of the first concept.
See concept version 6.0
See concept version 5.0
See concept version 4.0
See concept version 3.0
See concept version 1.0
One of the main problems of currently known sandbox applications is the fact that they are often used within a virtual or emulated machine. There are many detecting mechanisms, such as the usage of special invalid opcodes or the detection of virtual hardware devices. In consequence hackers use these techniques successfully to foil researchers and to slow down the detection and analysis of new malware.
Another problem is that the code of emulation software never will be bugless. Therefore there is a high risk that malware could compromise the real system and influence the sandbox application negatively to modify or terminate it.
So why not use a real system instead of a virtual emulation software? Automatic behaviour analysis is easier to operate on a virtual machine, mainly because of the easy automatic restore opportunity. Futhermore the check on execution is higher on emulated environments than on a real system. For both strengths an alternative solution exists. Firstly the use of additional hardware components to create a fast restorable system and secondly a high-quality software product which is able to interact with malware on the same system level. With the introduction of the Windows Vista operating system, this system will attract more interest for hackers. Therefore it is important to analyse malware's behaviour not only on Windows XP but also on Windows Vista.
Joeboxguard is responsible mainly to inject the spying code into the target malware process. Also it communicates with the Joeboxsniffer and restores the system. Joeboxspy intercepts defined API functions and sends captured data to Joeboxguard. Joeboxsniffer implements a traffic network sniffer based on the Winpcap interface and furthermore a binary file analyser. These parts are distributed on the hardware as shown below:
The sandbox machine contains two network interfaces: one to communicate with joeboxsniffer and another to get WAN access. The controller and sniffer machine guides the joeboxguard to fetch and execute malware binaries. During the execution joeboxsniffer captures the complete network traffic and interrupts joeboxguard if the analysis time is over.
If the malware process calls an hooked API syscall, Joeboxhooker will log all function arguments including the function name and return value and will format it to XML. These reports are the basic files for further implementations. Joeboxspy is able to detect any injection or starting techniques and automaticaly injects itself to these modified files.
See concept version 6.0
See concept version 5.0
See concept version 4.0
See concept version 3.0
See concept version 1.0
Introduction
A sandbox application is a system to store the behaviour of malware in the form of a complex report file. This application uses a lot of obfuscation techniques to be completely invisible for malware. The report files can be used mainly in four different areas. Please have a look at the vision section to get a detailed view of these.One of the main problems of currently known sandbox applications is the fact that they are often used within a virtual or emulated machine. There are many detecting mechanisms, such as the usage of special invalid opcodes or the detection of virtual hardware devices. In consequence hackers use these techniques successfully to foil researchers and to slow down the detection and analysis of new malware.
Another problem is that the code of emulation software never will be bugless. Therefore there is a high risk that malware could compromise the real system and influence the sandbox application negatively to modify or terminate it.
So why not use a real system instead of a virtual emulation software? Automatic behaviour analysis is easier to operate on a virtual machine, mainly because of the easy automatic restore opportunity. Futhermore the check on execution is higher on emulated environments than on a real system. For both strengths an alternative solution exists. Firstly the use of additional hardware components to create a fast restorable system and secondly a high-quality software product which is able to interact with malware on the same system level. With the introduction of the Windows Vista operating system, this system will attract more interest for hackers. Therefore it is important to analyse malware's behaviour not only on Windows XP but also on Windows Vista.
Design
Joebox application uses two real computer system to analyse malware with a high degree of completeness. The software part is composed of three main applications. To get a detailed view of all software modules you are able to find them here.
Joeboxguard is responsible mainly to inject the spying code into the target malware process. Also it communicates with the Joeboxsniffer and restores the system. Joeboxspy intercepts defined API functions and sends captured data to Joeboxguard. Joeboxsniffer implements a traffic network sniffer based on the Winpcap interface and furthermore a binary file analyser. These parts are distributed on the hardware as shown below:
The sandbox machine contains two network interfaces: one to communicate with joeboxsniffer and another to get WAN access. The controller and sniffer machine guides the joeboxguard to fetch and execute malware binaries. During the execution joeboxsniffer captures the complete network traffic and interrupts joeboxguard if the analysis time is over.
Hooking and Logging
Joeboxspy uses a special obfuscation detour hooking technique and hooks only security relevant API functions. A complete list can be found on the samples page. To easily add more API functions Joeboxguard is able to load more DLLs through an adapter.If the malware process calls an hooked API syscall, Joeboxhooker will log all function arguments including the function name and return value and will format it to XML. These reports are the basic files for further implementations. Joeboxspy is able to detect any injection or starting techniques and automaticaly injects itself to these modified files.
Restoring
After a malware is analysed the system has to be restored. There are a lot of hardware solutions to restore a system after a reboot often called hd protector or hd guarder. To reach a fast restore process Jeobox uses one of these solutions.Conclusion
Joebox is an essential tool to analyse automaticly the behaviour of malware on Windows Vista and Windows XP operting systems. The modular desgin and whole concept is created to build a large secure application. With the XML based report files there are many possiblities to use the output for other new applications. Joebox is written in C++ and Java and can be simply extended.Existing Sandbox Applications
Malware Collection Applications
Virtual or emulated Machine Detection Methods
- Detect if your program is running inside a Virtual Machine
- How to detect Virtual PC or VMWare from your program
- Attacks on Virtual Machine Emulators
- Detecting hardware assisted hypervisor's