Joebox
Analyse your Malware on Windows simply and quickly
This concept is the fourth revision. It ensures that the several bypass techniques do not work anymore and that malware and the analysis engine do not act on the same system level (ring).
See concept version 6.0
See concept version 5.0
See concept version 3.0
See concept version 2.0
See concept version 1.0
One of the main problems of currently known sandbox applications is the fact that they are often used within a virtual or emulated machine. There are many detecting mechanisms, such as the usage of special invalid opcodes or the detection of virtual hardware devices. In consequence hackers use these techniques successfully to foil researchers and to slow down the detection and analysis of new malware.
Another problem is that the code of emulation software never will be bugless. Therefore there is a high risk that malware could compromise the real system and influence the sandbox application negatively to manipulate or terminate it.
The last big problem which current existing sandbox solution suffer from are the incompletion of analysis reports. These applications use well known analysis techniques which can be easily bypassed or can be used to obfuscate the report massively. If the reports are not complete you can not use the information as a real evidence for the behaviour of the analysed malware and the whole sandbox application becomes useless.
So why not use a real system instead of a virtual emulation software? Automatic behaviour analysis is easier to operate on a virtual machine, mainly because of the easy automatic restore opportunity. Futhermore the check on execution is higher on emulated environments than on a real system. For both strengths an alternative solution exists. Firstly the use of additional hardware components to create a fast restorable system and secondly a high-quality software product which is able to interact with malware on different system levels.
With the introduction of the Windows Vista operating system, this system will attract more interest for hackers. Therefore it is important to analyse malware's behaviour not only on Windows XP but also on Windows Vista.
Joeboxservlet builds the entrypoint of the analysis systems and communicated through Joeboxserver with the analysis machine. Joeboxserver coordinates Joeboxcontrol to handle Joeboxdriver, the main analysis kernel. Joeboxabstract is responsible to convert and abstract analysis reports. To analyse more than one binary at once Joeboxservlet is able to communicate with multiple analysis machines.
The controller machine contains two network interfaces: one to communicate with the analyis machines and another to get WAN access. To ensure the system stability the analysis machines contains a pci watchdog card, which resets if the system hangs or has crashed.
See concept version 6.0
See concept version 5.0
See concept version 3.0
See concept version 2.0
See concept version 1.0
Introduction
A sandbox application is a complex automatic system to store the behaviour of malware in the form of a complex or abstract report file. The report files can be used mainly in four different areas. Please have a look at the vision section to get a detailed view of these.One of the main problems of currently known sandbox applications is the fact that they are often used within a virtual or emulated machine. There are many detecting mechanisms, such as the usage of special invalid opcodes or the detection of virtual hardware devices. In consequence hackers use these techniques successfully to foil researchers and to slow down the detection and analysis of new malware.
Another problem is that the code of emulation software never will be bugless. Therefore there is a high risk that malware could compromise the real system and influence the sandbox application negatively to manipulate or terminate it.
The last big problem which current existing sandbox solution suffer from are the incompletion of analysis reports. These applications use well known analysis techniques which can be easily bypassed or can be used to obfuscate the report massively. If the reports are not complete you can not use the information as a real evidence for the behaviour of the analysed malware and the whole sandbox application becomes useless.
So why not use a real system instead of a virtual emulation software? Automatic behaviour analysis is easier to operate on a virtual machine, mainly because of the easy automatic restore opportunity. Futhermore the check on execution is higher on emulated environments than on a real system. For both strengths an alternative solution exists. Firstly the use of additional hardware components to create a fast restorable system and secondly a high-quality software product which is able to interact with malware on different system levels.
With the introduction of the Windows Vista operating system, this system will attract more interest for hackers. Therefore it is important to analyse malware's behaviour not only on Windows XP but also on Windows Vista.
Design
Joebox application uses two real computer system to analyse malware with a high degree of completeness. The software part is composed of five main applications.
Joeboxservlet builds the entrypoint of the analysis systems and communicated through Joeboxserver with the analysis machine. Joeboxserver coordinates Joeboxcontrol to handle Joeboxdriver, the main analysis kernel. Joeboxabstract is responsible to convert and abstract analysis reports. To analyse more than one binary at once Joeboxservlet is able to communicate with multiple analysis machines.
The controller machine contains two network interfaces: one to communicate with the analyis machines and another to get WAN access. To ensure the system stability the analysis machines contains a pci watchdog card, which resets if the system hangs or has crashed.
Analysis Techniques
The Joeboxdriver use currently a dynamically configurable SSDT and EAT Hooking to gain access to system call function information. It is necessary to use a driver instead of a user space solution because it is very easy to prevent analysis if the hooking environment and the malware acts on the same system level. Joe Security also working on a thin hyporvisor which uses the hardware virtualisation techniques from Intel which is called VT-x.
Restoring
After a malware is analysed the system has to be restored. There are a lot of hardware solutions to restore a system after a reboot often called hd protector or hd guarder. To reach a fast restore process Jeobox uses one of these solutions.Conclusion
Joebox is an essential tool to analyse automaticly the behaviour of malware on Windows Vista and Windows XP operting systems. The modular desgin, the configurability and whole concept is created to build a large secure application. With the XML basic report files there are many possiblities to use the output for other applications. Joebox is written in C++, Super C, C# and Java and can be simply extended.Existing Sandbox Applications
Malware Collection Applications
Virtual or emulated Machine Detection Methods
- Detect if your program is running inside a Virtual Machine
- How to detect Virtual PC or VMWare from your program
- Attacks on Virtual Machine Emulators
- Detecting hardware assisted hypervisor's
- Detecting presence of Vmware, VirtualPc, VirtualBox and Qemu
Virtual or emulated Machine Bugs
- Remote Heap Overflow
- VMware Backdoor I/O Port
- An Empirical Study into the Security Exposure to Hosts of Hostile Virtualized Environments