Joebox

14.04.08 Joebox Customizing

It's now approximately 6 months ago since Joe Security regularly analysis windows binaries like drivers, exes and dlls. Totally 400 binaries have been analysed and 10 of them bugchecked. There was no system downtime
How goes it on with Joebox? Currently Stefan Buehlmann does a customizing of Joebox for a Swiss company. This includes an enlargement of the analysis spectrum (analysing thread hijacking, dll injection, complete network traffic and monitoring some kernel structure changes). Furthermore he is developing a new component which let you write autoit scripts to simulate user interactions. Also you can completly control joebox via autoit. So joebox will be fully scriptable. With this powerfull extension you are able to build a honeyclient only by writing some few lines of script code which browses randomly websites. Below you will find a such example script:

Honeyclient Script
Joebox UDF Commands

Joe Security is also working on a new technique to extract malicous behaviour, by using behaviour baselines. If you have a good baseline you can easliy compare it against other behaviour and drop garabage.

18.01.08 Joebox Documentation available

Joe Security has published the Joebox documentation. The documentation contains a introducation into malware analysis, some component descriptions and an outlook. The documentation is a part of a project at the University of Applied Science Northwestern Switzerland FHNW which was started by Stefan Buehlmann in 2006.
Unhappily the necessary time to translate the document into english wasn't available.

Joebox - An automatic malware behaviour analysis system

18.01.08 Joebox Service Online

Today Joe Security has released Joebox Service. Joebox currently only analyses File System, Registry System and Process System behaviour. Joebox will be continously extended to analyse more functions to capture more behaviour.

Please also that Joebox currently is still Betaware. If you get errors or you would like to provide feedback use either the forum or send an e-mail to info@joebox.org.

30.12.07 Ideas about a new Service

The company behind Virus Total Hispasec Sistemas has contacted Joe Security some month ago. Virus Total is an online service which receives binaries and returns a list about which antivirus software has identified the binary as malware. As you me know the main part of antivirus solution detects malicous code by static signatures, e.g. when the binary is dropped on the machine.
So why not develop a service which executes binaries on real systems on which antivirus software is installed to get an overview of how good the behaviour detection works? Joe Security will contact back Hispasec to notice them about this nice new idea.

29.12.07 New Sandbox called FIW found

Today Joe Security found an other Sandbox solution called FIW. FIW is a high level debugger such as Insepctor from Greg Hoglunds company. As Joebox they use a real system with modified kernel functions. FIW is not an automatic analysis system, instead it is a debugger which allows as example to step through the malware execution, view memory layouts etc.
It is really interesting that FIW uses an approach to change the system behaviour to force the malware to choose an other execution path to get more complete analysis reports.
Currently the code isn't available but Joe Security has asked the head developer of FIW about an evaluation copy.

28.12.07 Concept update

Today Joe Security has uploaded a new concept. There are no big changes, but some little ones which arrived during implementation. Instead of a hardware restore component we have used the software product deep freeze. Furthermore the concept contains a small description of the new components Joeboxservlet, Joeboxserver, Joeboxcontrol, Joeboxdriver and Joeboxabstract.
As Joe Security mentioned some months ago they service to upload binaries will be online on the 18th January. Additionaly the beta versions of Joeboxcontrol, Joeboxdriver and Joeboxabstract will be downloadable to test this analysis tools. Also Joe Security will publish a paper written in german about the current sandbox system which explains in detail how it works.

05.12.07 Good progress

The project development has made very good progress. Please have look to following abstraction chain:

basic behaviour data
mapped behaviour data
converted behaviour data
abstracted behaviour data

The main part of Joebox the analysis driver is now working on multi processor systems. The mapping, converting and abstracting is dynamically definable. The controll joebox control, can load Dlls, SYSs and Exe to analyse.

22.11.07 No cooperation with AV-Test

Unhappily AV-Test will not support Joebox and the Bachelor Thesis of Stefan Bühlmann. The understandable reason is that AV-Test can not provide the necessary quality which is needed to support a Bachelor Thesis. Luckily the CEO of AV-Test recommended the project to Avira. After some conversion with Avira it was clear that they also won't provide a Bachelor Thesis with content of Joebox, because there lab has developped a similar tool since three years which is more advanced than Joebox. Probably I can write my Bachelor Thesis about a part of their system.

11.08.07 Implementation start

After realising new concepts Joe Security has begun at the 17.09.07 to implement the main parts of concept 5.0. With concept 5.0 Joebox is able to log not only behaviour in usermode, but also the behaviour of driver components. Since the prototype development the project has grown fast and also the knowledge behind it.

The project end is the Friday the 18.01.08. Because the development time is really short only a subsequence of all necessary requirements will be implemented. But the application will contain a web submit interface. The analysis files which will be returned do not contain function calls anymore, but an abstracted form which can be easily interpreted.

09.08.07 Trip to Magdeburg

Two weeks ago Stefan Buehlmann was in Magdeburg a nice city in the East of Germany. He visited the young company AV-Test to give a talk about the project Joebox. Furthermore he discussed with the CEOs of AV-Test about a possible partnership to join the company to implement the main core of Joebox as a part of his Bachelor-Thesis. During the presentation (only available in german) he got criticism and inputs to extend the concepts.

AV-Test is a small company which has specialised in the area of testing any kind of antivirus and firewall products. The interesting test results can be used to compare different kind of products.

22.08.07 New concept

After some exploits for Sunbelt, CWSandbox have been published which use user-mode API detour hooking Joe Security worked out a complete new concept for Joebox.

The main changes affect Joeboxspy. This application part acts on the same system level as malware. So a malware process have exactly the same possiblity to subvert or bypass the sandbox intercepting mechanisme as the sandbox itself. Hence it is necessary to move Joeboxspy one system level higher. So Joeboxspy have to be a system driver which has full control over user-level applications.

Joe Security also have thought about using a hardware virtualisation solution like Intel's Vt-x or AMD's Pacifica. The hypervisor could easly control system exection, log behaviour and is never touched. Because Joe Security have not the necessary knowledge it is looking for developers whit know-how for using the described hardware techniques.

20.07.07 Stefan Buehlmann is searching for a Bachelor Thesis with focus on It-Security

Currently Joe Security is looking for some partners for the Bachelor-Thesis of Stefan Buehlmann at the University of Applied Science Northwestern Switzerland Stefan Buehlmann has a high degree knowledge in coding Win 32 API and .Net programs. Furthermore he has the ability to write low level system code such as ASM and C. During his studies to become a Bachelor degree he Computer Science gained experience in many parts of software development.
If you are interested and have some interesting work please feel free to contact Stefan Buehlmann at any time.

10.06.07 Sandboxing message board online.

During the weekend I set up a php forum to discuss some interesting aspects in the world of sandboxing. The message board is availble under the following link www.forum.joebox.org and also reachable through the naviagtion bar. Please register.

07.06.07 Concept revised and Vision section added.

I finished the second revision of Joebox's concept. Furthermore I added a the section Vision to the navigation bar. The page contains the Vision of Joebox and its concept. This includes possible secondary application which uses Joebox's report file as input.

27.05.07 New sandbox application labelled Thread Expert discovered.

Today I developed another sandbox solution called Threat Expert. Threat Expert analyses binaries and presents a really abstract analysis file in html format. The report file includes possible screenshots and many different threat views. Furthermore Threat Expert is able to send files which are generated by malware to the users. The concept is not the system or his used techniques itself but rather the application. Companies or ISP's can use Threat Expert to quickly generate patches if anti virus software is not able to detect some threats and users have sent the regarding files to the sandbox.

To get a first impression I have sent the same test example to Threat Expert as I used for my comparison article. Below you find the result report files (please open them with the internet explorer):

Basic Keylogger
Dll Injection
Native Dll Load

I have not to added a detailed evaluation because the report files itself tell enough about the quality and the level of abstraction of Threat Expert.

22.05.07 A CERT team based in Netherlands have agreed to use Joebox and provide regularly feedback.

Joe Security has got a request for the usage of Joebox from a Dutch Computer Emergency Response Team. The team will test and evaluate Joebox.

20.05.07 Official first release date is the end of August 07

Joe Security has defined the end of August 07 for the release of the first tested beta version of Joebox. After the release companies can use and evaluate Joebox for free if they provide regularly feedback. Joebox is not available for individuals but for companies which test the product effectively. To ensure that companies not use the product without performing customer feedback Joe Security will provide a non commercial feedback contract including a predefined feedback form.

19.04.07 Articel about comparing existing sandbox applications has been published.

Please have a look to my new published article about comparing sandbox applications. The comparsion enfold the technical aspects function intercepting technology, analysis completeness, used environment and pointer handling.
Now I am focusing my activities on the implementation of Joeboxsniffer. Furthermore I have to fix some bugs in Joeboxhooker..

14.04.07 Complete webpage update

I have revised Joebox.org. The revision includes new samples, links and some corrections.

13.04.07 Joeboxhooker and Joeboxinjector have been finished

I finalized the Joeboxinjector and Joeboxhooker implementation in version 1.0.1.0. Now I have to complete the list of api function (ntdll native calls) and continue my work on Joeboxsniffer.

05.03.07 Page goes online

The page design and the information texts are completed. More sample reports will be added in future. Please send me a email if the page is not fulfilling any copyrights.

22.02.07 Hardware acquisition

Today I bought all necessary hardware. This includes the computer and network system.

19.02.07 Project start

Begin of development and implementation phase. Classification of the software solution in four main parts.

10.02.07 Concept creation

After some study about hooking techniques I decided to create a unique concept for an sandbox application which published on the concept section.