January 12: Open Positions
Joe Security LLC is hiring:
December 30: Happy New Year 2012
Joe Security LLC wishs you a happy new year! We are am looking forward to next year. Various new features and improvements are planned.
December 13: End of Year Review
2011 has been a very successful year for Joe Security LLC. Besides doubling our customer base we had time to extend Joe Sandbox with powerful features. Version 4.5.2 is the latest release which was published in the beginning of December.
We look forward to 2012 and would like to thank all the long-term and new customers for their trust, support and loyalty.
September 27: Who is the target?
In the last weeks we have developped a new behavior signature which detects easily the targets of e-banking malware. Below you find an example of a recent spyeye analysis:
The signature is available for all Joe Sandbox Web and Joe Sandbox Standalone customers.
July 26: ZeroAccess VS Joe Sandbox
One of the most infamous and advanced kernelmode rootkit is ZeroAccess (also known as Max++). A very good analysis about ZeroAccess can be found here. Like the TDL rootkit ZeroAccess protect itself by using a big bunch of unknown tricks. For instance it creates a new windows service which is used to launch an infected Windows driver. To do so it sets the service ImagePath key in the Windows registry to \*. \* is not a valid file path and thus the creation of the key does not look malicious. However ZeroAccess creates a symbolic NTFS link connecting the file path \* with the infected driver:
As a result the ImagePath points virtually to a valid driver file and thus the driver is loaded with success. In the following you find a small list of the most interesting tricks which ZeroAccess uses for bypassing security tools:
All these tricks can be analyzed by reading the following Joe Sandbox report: Zero Access Analysis.
July 10: Defeating Locale Aware Malware
Often e-banking trojans and target malware are written for a specific country or region. Thus the malware authors add tiny codes to their creations which try to find out where the computer which is beeing infected is located. If the country or region does not match, the malicious program simply terminates and thus an analysis system like Joe Sandbox does not detect anything. The following pictures shows a disassembly extract from a Brazilian banker malware:
The code queries (GetSystemDefaultLangID) the lang ID of the system. If the lang ID of the system is not 416 (ID 1046, meaning: "Portuguese (Brazil) it simply terminates (path 4C7F5C).
To be able to analyze this malware on Joe Sandbox you can use the following magic cookbook: change default locale. The cookbook uses the undocumented NtSetDefaultLocale system call. NtSetDefaultLocale changes the default locale which includes the lang ID of the system. By calling NtSetDefaultLocale(FALSE, 0x416) the lang ID is changed to the Portuguese. As a consequence GetSystemDefaultLangID call returns 0x416 and the Brazilian banker trojan acts as on a Brazilian Windows system.
You may wonder how to find out if a sample checks for region specific artifacts? The Joe Sandbox 5.0.0 release which is available to all our customers in the beginning of August, captures (among other new behavior) queries to receive region specific artifacts like the lang ID or keybourd layout.
May 23: The Power of Cookbooks
Joe Sandbox allows to submit a Joe Sandbox Cookbook in addition to a malware binary. A cookbook is a tiny script which describes the analysis procedure as well as additional user behavior. Cookbooks are written in AutoIt, a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting.
Recently we wrote a very usefully Joe Sandbox Cookbook for finding malware which injects html elements into e-banking login pages (so called HTML/IFRAME injectors). Spyeye and Zeus doing this to steal credit card numbers and ATM pins.
If you want to know if your bank is a Zeus or Spyeye target you can upload the findinjector Cookbook together with a recent Zeus or SpyEye sample.
The findinjector Cookbook works as follows. It first launches the ebanking webpage and takes a screenshot. Then it starts the submitted binary sample and waits some minutes. Then it browses the ebanking page again and takes a second screenshot. Finally the two screenshot are compared. If a difference has been found (the malware has injected HTML fields) a comment is submitted to Joe Sandbox which then gets compiled into the Joe Sandbox report.
The following two pictures below show the result of a recent SpyEye trojan which was submitted together with the findinjector Coobook to Joe Sandbox.
In the second image you find an additional textbox injected by SpyEye, which allures users to enter their ATM code.
The findinjector cookbook is very good example how powerful cookbooks can be. You want to test multiple ebanking pages with the findinjector cookbook? All what is needed is a loop around the script code! Simple, but very effective. The findinjector cookbook is available for all Joe Security LLC customers.
Mar 13: Joe Sandbox Web
Joe Sandbox Web is the main web interface of Joe Sandbox 4.0.0. The web interface lets you upload binaries and manage analysis results. We offer - against a small monthly fee - web access to Joe Sandbox. Joe Sandbox Web is completely maintained and hosted by Joe Security. Click on the online service button in the navigation bar or here to get an idea about the web service and purchasable accounts. The account labeled "simple" is available for free!
Mar 13: Joe Sandbox 4.0.0
Today we released Joe Sandbox 4.0.0. Beside a new web interface we added hook detection to Joe Sandbox. With version 4.0.0 Joe Sandbox detects a wide range (from usermode IAT to kernelmode object, for a full list click here) of function hooks. Hooks are often used by malware for protection and hiding. Besides banking trojans use hooks to sniff and manipulate network traffic. E.g. the hook the winsock function send and recv to insert HTML iframes into webpage. All new features of Joe Sandbox 4.0.0 are accessible via Joe Sandbox Web.
Feb 25: Product Name Change
Due to trademark issues we changed the product name of our dynamic malware analysis system Joebox to Joe Sandbox.
Feb 19: New Webpage Online
We designed and updated our complete webpage. You find new and detailed information about Joe Sandbox in the products section. The online version of Joe Sandbox can be accessed via the online service menu. Information about Joe Security you will find here.
Feb 13: Joe Sandbox 3.1.0
In the beginning of 2011 we released another major release of Joe Sandbox. About 80 new behavior
signatures were added. Besides we decided to implement a technique which is different from reputation measurements to remove behavior noise of the system.
With the new technique the new reports are much smaller than the old ones.
Today Joe Sandbox includes only funciton calls if they are coming from real malicious code. All calls which are coming
from windows DLLs and processes are not added to the analysis report. Further static PE file analysis was added to the report.
Suspicious facts (e.g. packed binary or TLS entries) are identified and marked correspondingly.
Checkout a new report: here which demonstrates all the new features.
More good news: In March we are moving our server farm to new offices, where we will have a faster infrastructure.
Furthermore we plan to release another major upgrade of Joe Sandbox in the comming weeks. The upgrade includes a new unique feature.
Follows us on twitter: http://twitter.com/joe4security
to get tweets about updates, upgrades and other news.