Joebox

28.12.09 We are back with Joebox 1.5.0

Today we proudly release Joebox 1.5.0 after a server downtime of three months. Joebox 1.5.0 is the first online malware analysis system which analyses malicious behaviour on Vista SP2 and Windows 7.
We added more information to the reports (System Activities, Time Activities, User Activities, Debug Activities and Exception Activities). Furthermore we extended Joebox to capture stack traces for each system call and we implemented controller for using VirtualBox and VMware together with Joebox. Our online system is currently based on VirtualBox. For all changes please have a look to the changelog. In the next weeks we are going to add real systems.
To capture file modification of rootkits we are currently working on a feature which we call disk hashing. Each file and stream of the file system is hashed before and after the malicious program is executed. During hashing the operating system isn't running, so malware can't hide its file! Later the two hash maps are compared. The resulting reports shows all file modification as well as all new files created.
We hope the new system does as a good job as the old one did in previous years. If you have ideas or suggestions please contact us.

13.09.09 New interesting features

During the last two weeks we have implemented some interesting new features. First we have added support for running Joebox on VMware and Virtualbox. The analysis speed is really amazing compared to the hardware imaging solution.
Next we included a new command to the Joebox script language. Through _JBSetSystem("system name") you are able to set the system where your analysis happen if several systems (either a vm or an image for FOG) like Windows Vista, XP, W7 are available. A good practical use case is the following: You wan't to analyse the behaviour of exploits and you need different versions of a buggy program for testing. You set up several vms each with a different program version installed. Then you write a smart Joebox script and define there on which systems (vms) you would like to analyse the exploit under testing.
Beside a pluggable system for developing behaviour analysis plugins have been added. For instance if you want to detect malicous behaviour the interfaces make it really easy to develop a plugin which has directly access to behaviour data in a fast way.

08.09.09 Server crash

Our main server crashed today at 22:30. After a quick analysis we found out that the mainboard's ram controller does not work anymore. Because we are planning to upgrade and move the system to another location we do not replace the current hardware with new one. We will notice you if the new system is up and running again.

12.06.09 Joebox 1.3.5 update

We are happy to release Joebox 1.3.5. The release includes some bugfixes and new features. For instance a new section called 'chronological functions' was added to the report. Further users can get pcap and raw behaviour files. You find the changelog here.
Next we are planning to sell licences of the main core tools of Joebox (behaviour logging and abstraction). And finally we have shutdown our forum due to few discussions.

10.05.09 Joe Security is searching an organisation for a collaboration to refine and distribute Joebox

Currently we are searching a partner which likes to extend and market Joebox for Joe Security in Europa. Joebox is an extensive tool to trace the behaviour of malware. Please have a look at the main page to get a full list of features. Joebox helps to understand malware better and is therefore a very usefull tool for CERTs, security software manufacturer and research organisation. If you are interested please send us an email.

20.03.09 CPUID and the big problem of detection

Last week we saw new tries to detect Joebox by using the CPUID instruction to get identification data. Seriously we have tried to randomize the data which CPUID gets, but its really a difficult task. There is no way to change the CPUID value for intel cpus, but it is possible to intercept the execution of the CPUID instruction by using a hypervisor. Sadly our analysis server has an old P4 CPU which has not the vt-x feature. Thus there is no way to intercept this specific instruction. Therefore the analysis server's CPU is detectable and Joebox too.

Because we have not get donations yet we do not invest more time into Anti-Joebox-Scripts. Therefore Joebox will be easily detectable in future by crypter/packers and malware might not run or might show different behaviour.

Public sandboxes become useless if they are detectable. Further it is really hard to maintain the detectablity of a public analysis environment for instance by analysing detection approaches. Therefore only anonymous sandboxes work good in practice. So please be not angry if you do not get any behaviour information about your malware, because it do not run on all available public malware analysis systems :).

08.03.09 Joebox 1.3.0 online

Joe Security has finished the update of Joebox to version 1.3.0. The highly improved malware-analysis-system is waiting for submissions. The changelog is located at here. We have increased the number of hooked system calls from 15 to 166. Furthermore we changed the behaviour analysis format from xml to smart csv. Next we implemented several anti-hooking techniques.
Joe Security still needs some donation to provide you a free malware analysis service in the future. We would be very happy to get some financial help for renewing the hardware of Joebox.

04.02.09 An interesting crypter

Joe Security searches regularly the web for new interesting packers and crypters. Last month we found a crypter called RDG TEJON Crypter. The tool has some neat features. Beside tricks to identify virtual machines, sandboxes and debuggers it claims to be able to unhook APIs. During an analysis with Joebox we found out that it restores the SSDT (System Service Dispatch Table) from usermode without the need for loading a driver. The unhooking works on SP1 by writing to \Device\PhysicalMemory but Microsoft decided to disable the access even if you are administrator in SP2. So the crypter have to use another technique. By digging into the raw behaviour analysis data of Joebox we found out that it uses two times the system call NtSystemDebugControl with debug control code 8 and 9. By searching these numbers through google we got the corresponding enums SysDbgReadVirtual and SysDbgWriteVirtual. As a fact it is possible to write to kernelmode by using NtSystemDebugControl from usermode if the program runs with debug and admin rights. Please have a look at process link unlinking with NtSystemDebugControl or example app if you want some code snippets.



Another interesting feature is a timer which sleep some seconds before the packet binary is decrypted and executed. Because the majority of analysis systems execute a given binary for a few minutes but not longer one sees only some sleep calls in the report. If you wan't to tell Joebox to analyse a given binary for a longer time you have to submit a wait script to joebox.

04.01.09 Zero Wine: Malware Behavior Analysis

A new malware behaviour analysis tool called Zero Win has poped up. The tool was developed by Joxean Koret and released under GPL v2.0. Zero Wine uses Wine which let you run windows programs within a unix environment. Wine basically wraps the win32 subsystems. If you use Zero Wine you will get a report which contains the function call debug output of Wine and some other information like binary strings, pe-header details or pe-signatures. Zero Wine can be found at sourceforge. Joxean Koret described commendably the main weakness detectablity of the analysis tool. Another problem is that malware which needs other parts of the windows environment does not work on Zero Wine. Often malware injects code into other processes like the explorer.exe or svchost.exe. But one unix there is no such process :). And of course Wine can not handle kernelmode malware. Nonetheless Zero Wine has some potential to become a more powerful usermode analysis tool. The abstraction and formation of the debug output are one of the first features to improve.

Joe Security has set up a Zero Wine instance for testing:

• analysis.joebox.org:8000

19.10.08 Anti Joebox

Joe Security has searched the web for crypters and packers with an Anti-Joebox feature in the last week. We have found some tools which claim to detect Joebox:







After collection we have tested them by packing a simple executable which just creates a file. Surprisingly no crypter has prevent the analysis. One reason is the power of scripting. Just before Joebox executes an uploaded binary a simple script is interpret which changes the environment heavily. Joe Security is curious what kind of detection approachs will be used in future.

15.09.08 Joebox 1.2.0 online

Joe Security has finished the update of Joebox 1.0.2 to 1.2.0. The new system is now available on the submit page. Joebox 1.2.0 has some useful new features. Beside a binary you are able to upload scripts which lets you simulate user interactions and modify the environment. Furthermore Joebox provides a rich set of commands which you can use in your scripts. With these commands you are able to control Joebox, change the analysis state or build and compare baselines.

Joebox 1.2.0 was developped by Stefan Buehlmann during his Bachelor Thesis. In addition to the scripting the analysis spectrum of Joebox was extended. Now Joebox analyses thread creations and process memory modifications. Furthermore the stability of Joebox was improved.

Joebox 1.2.0 was not developped for online submissions so please report errors to info@joebox.org.

29.07.08 Azure - A Hypervisor based Sandbox

Its now nearly one year ago since Joe Security had the idea to use a hypervisor for the analysis main engine of a sandbox. Now on the upcoming blackhat 08 Paul Royal is releasing his hypervisor based malware analysis tool Azure. The sandbox is able to capture winapi native calls (may be by setting hardware breakpoints) as well as Joebox. Furthermore it is able to analyse behaviour at the instruction level which is really a powerful feature. The hypervisor is really difficult to detect, so malware has a hard job to identify the analysis environment. In addition a hypervisor is able to completely analyse the behaviour of kernelmode rootkits.

Luckily the tool will be published as an open-source proof of concept. So may be Azure can be integrated into the next Joebox release.

06.06.08 Honeypot access

Since some months Joebox has been used by various honeypots like nepenthes. Joe Security is really happy to get more samples which will help to improve the quality of the analysis reports. To add Joebox as submit module for your favorite honeypot you have to add the url http://analysis.joebox.org/submit to the configuration. For nepenthes you can use the cwsandbox submit module. For amun you can download the configuration and submit module here. Joe Security has also decided to release all reports and analysis data. The files can be accessed via ftp. The login credentials can be found here.

Joe Security is planning a major update in september. The update includes a newer and completer analysis report. Furthermore the user have to ability to submit scripts. More news will be realeased in august.

14.04.08 Joebox Customizing

It's now approximately 6 months ago since Joe Security regularly analysis windows binaries like drivers, exes and dlls. Totally 400 binaries have been analysed and 10 of them bugchecked. There was no system downtime.
How goes it on with Joebox? Currently Stefan Buehlmann does a customizing of Joebox for a Swiss company. This includes an enlargement of the analysis spectrum (analysing thread hijacking, dll injection, complete network traffic and monitoring some kernel structure changes). Furthermore he is developing a new component which let you write autoit scripts to simulate user interactions. Also you can completly control joebox via autoit. So joebox will be fully scriptable. With this powerfull extension you are able to build a honeyclient only by writing some few lines of script code which browses randomly websites. Below you will find a such example script:

Honeyclient Script
Joebox UDF Commands

Joe Security is also working on a new technique to extract malicous behaviour, by using behaviour baselines. If you have a good baseline you can easliy compare it against other behaviour and drop garabage.

18.01.08 Joebox Documentation available

Joe Security has published the Joebox documentation. The documentation contains a introducation into malware analysis, some component descriptions and an outlook. The documentation is a part of a project at the University of Applied Science Northwestern Switzerland FHNW which was started by Stefan Buehlmann in 2006.
Unhappily the necessary time to translate the document into english wasn't available.

Joebox - An automatic malware behaviour analysis system

18.01.08 Joebox Service Online

Today Joe Security has released Joebox Service. Joebox currently only analyses File System, Registry System and Process System behaviour. Joebox will be continously extended to analyse more functions to capture more behaviour.

Please also that Joebox currently is still Betaware. If you get errors or you would like to provide feedback use either the forum or send an e-mail to info@joebox.org.

29.12.07 New Sandbox called FIW found

Today Joe Security found an other Sandbox solution called FIW. FIW is a high level debugger such as Insepctor from Greg Hoglunds company. As Joebox they use a real system with modified kernel functions. FIW is not an automatic analysis system, instead it is a debugger which allows as example to step through the malware execution, view memory layouts etc.
It is really interesting that FIW uses an approach to change the system behaviour to force the malware to choose an other execution path to get more complete analysis reports.
Currently the code isn't available but Joe Security has asked the head developer of FIW about an evaluation copy.

28.12.07 Concept update

Today Joe Security has uploaded a new concept. There are no big changes, but some little ones which arrived during implementation. Instead of a hardware restore component we have used the software product deep freeze. Furthermore the concept contains a small description of the new components Joeboxservlet, Joeboxserver, Joeboxcontrol, Joeboxdriver and Joeboxabstract.
As Joe Security mentioned some months ago they service to upload binaries will be online on the 18th January. Additionaly the beta versions of Joeboxcontrol, Joeboxdriver and Joeboxabstract will be downloadable to test this analysis tools. Also Joe Security will publish a paper written in german about the current sandbox system which explains in detail how it works.

05.12.07 Good progress

The project development has made very good progress. Please have look to following abstraction chain:

basic behaviour data
mapped behaviour data
converted behaviour data
abstracted behaviour data

The main part of Joebox the analysis driver is now working on multi processor systems. The mapping, converting and abstracting is dynamically definable. The controll joebox control, can load Dlls, SYSs and Exe to analyse.

11.08.07 Implementation start

After realising new concepts Joe Security has begun at the 17.09.07 to implement the main parts of concept 5.0. With concept 5.0 Joebox is able to log not only behaviour in usermode, but also the behaviour of driver components. Since the prototype development the project has grown fast and also the knowledge behind it.

The project end is the Friday the 18.01.08. Because the development time is really short only a subsequence of all necessary requirements will be implemented. But the application will contain a web submit interface. The analysis files which will be returned do not contain function calls anymore, but an abstracted form which can be easily interpreted.

22.08.07 New concept

Joe Security worked out a complete new concept for Joebox.

The main changes affect Joeboxspy. This application part acts on the same system level as malware. So a malware process have exactly the same possiblity to subvert or bypass the sandbox intercepting mechanisme as the sandbox itself. Hence it is necessary to move Joeboxspy one system level higher. So Joeboxspy have to be a system driver which has full control over user-level applications.

Joe Security also have thought about using a hardware virtualisation solution like Intel's Vt-x or AMD's Pacifica. The hypervisor could easly control system exection, log behaviour and is never touched. Because Joe Security have not the necessary knowledge it is looking for developers whit know-how for using the described hardware techniques.

20.07.07 Stefan Buehlmann is searching for a Bachelor Thesis with focus on It-Security

Currently Joe Security is looking for some partners for the Bachelor-Thesis of Stefan Buehlmann at the University of Applied Science Northwestern Switzerland Stefan Buehlmann has a high degree knowledge in coding Win 32 API and .Net programs. Furthermore he has the ability to write low level system code such as ASM and C. During his studies to become a Bachelor degree he Computer Science gained experience in many parts of software development.
If you are interested and have some interesting work please feel free to contact Stefan Buehlmann at any time.

10.06.07 Sandboxing message board online.

During the weekend I set up a php forum to discuss some interesting aspects in the world of sandboxing. The message board is availble under the following link www.forum.joebox.org and also reachable through the naviagtion bar. Please register.

07.06.07 Concept revised and Vision section added.

I finished the second revision of Joebox's concept. Furthermore I added a the section Vision to the navigation bar. The page contains the Vision of Joebox and its concept. This includes possible secondary application which uses Joebox's report file as input.

27.05.07 New sandbox application labelled Thread Expert discovered.

Today I developed another sandbox solution called Threat Expert. Threat Expert analyses binaries and presents a really abstract analysis file in html format. The report file includes possible screenshots and many different threat views. Furthermore Threat Expert is able to send files which are generated by malware to the users. The concept is not the system or his used techniques itself but rather the application. Companies or ISP's can use Threat Expert to quickly generate patches if anti virus software is not able to detect some threats and users have sent the regarding files to the sandbox.

To get a first impression I have sent the same test example to Threat Expert as I used for my comparison article. Below you find the result report files (please open them with the internet explorer):

Basic Keylogger
Dll Injection
Native Dll Load

I have not to added a detailed evaluation because the report files itself tell enough about the quality and the level of abstraction of Threat Expert.

20.05.07 Official first release date is the end of August 07

Joe Security has defined the end of August 07 for the release of the first tested beta version of Joebox. After the release companies can use and evaluate Joebox for free if they provide regularly feedback. Joebox is not available for individuals but for companies which test the product effectively. To ensure that companies not use the product without performing customer feedback Joe Security will provide a non commercial feedback contract including a predefined feedback form.

19.04.07 Articel about comparing existing sandbox applications has been published.

Please have a look to my new published article about comparing sandbox applications. The comparsion enfold the technical aspects function intercepting technology, analysis completeness, used environment and pointer handling.
Now I am focusing my activities on the implementation of Joeboxsniffer. Furthermore I have to fix some bugs in Joeboxhooker..

14.04.07 Complete webpage update

I have revised Joebox.org. The revision includes new samples, links and some corrections.

13.04.07 Joeboxhooker and Joeboxinjector have been finished

I finalized the Joeboxinjector and Joeboxhooker implementation in version 1.0.1.0. Now I have to complete the list of api function (ntdll native calls) and continue my work on Joeboxsniffer.

05.03.07 Page goes online

The page design and the information texts are completed. More sample reports will be added in future. Please send me a email if the page is not fulfilling any copyrights.

22.02.07 Hardware acquisition

Today I bought all necessary hardware. This includes the computer and network system.

19.02.07 Project start

Begin of development and implementation phase. Classification of the software solution in four main parts.

10.02.07 Concept creation

After some study about hooking techniques I decided to create a unique concept for an sandbox application which published on the concept section.