Joebox

This concept is the fifth revision which is most advanced. It adds techniques to defuse logic bombs and prevent detection through the integration of AutoIt script engine.

See concept version 6.0
See concept version 4.0
See concept version 3.0
See concept version 2.0
See concept version 1.0

Introduction

A sandbox application is a complex automatic system to store the runtime behaviour of malware in the form of an summary report. The reports can be used mainly in four different areas. Please have a look at the vision section to get a detailed view of these.

One of the main problems of currently known sandbox applications is the fact that they are often used within a virtual or emulated machine. There are many detecting mechanisms, such as the usage of special invalid opcodes or the detection of virtual hardware devices. In consequence hackers use these techniques successfully to avoid the analysis through an automated sandbox.

Another problem is that the code of emulation software never will be bugless. There is a high risk that malware could compromise the real system and influence the sandbox application negatively to manipulate or terminate it.

So why not use a real system instead of a virtual emulation software? Automatic behaviour analysis is easier to operate on a virtual machine, mainly because of the easy automatic restore opportunity. Outside an emulator you have full control over the complete system (RAM, CPU, DISK) If you wan't to know how Joebox implements alternative solutions please have a look at the design section.

The next big problem which current existing sandbox solution suffer from are the incompletion of analysis reports. These applications use well known analysis techniques which can be easily bypassed or can be used to obfuscate the report massively. If the reports are not complete you can not use the information as a real evidence for the behaviour of the analysed malware and the whole sandbox application becomes useless.

Another big challange for an analysis system is malware which uses techniques to avoid the automated analysis. Hackers insert often a piece of code into malware binaries that will set on a malicious function when specified conditions are met. As example malware will only interact with his command and control server on a certain date. Malware installers which needs some user interactions are another good example.

Behaviour data can be really extensive. Therefore the sandbox should be able to reduce the amount of data to a minimum which covers only the interesting behaviour.

With the introduction of the Windows Vista operating system, this system will attract more interest for hackers. Therefore it is important to analyse malware's behaviour not only on Windows XP but also on Windows Vista.

Design

Joebox application uses two real computer system to analyse malware with a high degree of completeness. The software part is composed of seven main applications.



Joeboxclient builds the entrypoint of the analysis systems and communicated through Joeboxserver with the analysis machine. Joeboxserver coordinates Joeboxcontrol to handle Joeboxdriver, the main analysis engine. Joeboxhide protects Joeboxserver and Joeboxcontrol. Joeboxabstract is responsible to convert and abstract analysis reports. To analyse more than one binary at once Joeboxclient is able to communicate with multiple analysis machines. Joeboxscriptbuilder handles submitted AutoIt scripts. Tshark is used for sniffing the network traffic.

Scripting

As addition to a malware binary an AutoIt script can be uploaded to Joebox. Through AutoIt you are able to simulate user interaction, change the environment or control Joebox completly. You can start or stop the sniffer or the behaviour analysis engine. Furthermore you can define and compare behaviour baselines which is a very good technique to eliminate uninteresting behaviour. You can modify the analysis status to analyse existing processes or drivers. Also you may want to reboot the system or restore it to predefined state. A list of all commands to control Joebox can be found here. Some advice how to use these commands you find here.

Analysis Techniques

The Joeboxdriver use currently a dynamically configurable SSDT and EAT Hooking to gain access to system call function information. It is necessary to use a driver instead of a user space solution because it is very easy to prevent analysis if the hooking environment and the malware acts on the same system level. Joe Security also working on a thin hypervisor which uses the hardware virtualisation techniques from Intel which is called VT-x.

Cleanup

After a malware is analysed the system has to be restored. There are a lot of hardware solutions to restore a system after a reboot often called hd protector or hd guarder. To reach a fast restore process Jeobox uses one of these solutions.

Conclusion

Joebox is an essential tool to analyse automaticly the behaviour of malware on Windows Vista and Windows XP operting systems. The modular desgin, the configurability and whole concept is created to build a large secure application. With the XML basic report files there are many possiblities to use the output for other applications. With AutoIt scripts you can simulate user interactions, modify the environment and control Joebox completely. This helps you to avoid logic bombs or to prevent the detection of the analysis system. Joebox is written in C++, Super C, C# and Java and can be simply extended.