Friday, March 23, 2012

Joe Sandbox 5.0.0

After a long time of development we released today version 5.0.0 of Joe Sandbox. 

Among lot of small improvements and enhancements the major change is a brand new usermode hooking engine which is capable of hooking every function (included none exported / imported function, fully configurable) in usermode code. Currently the engine enables Joe Sandbox to capture exploit specific behavior in Internet Explorer. For example the engine captures all compiled Java Script Code (fully deobfuscated) or all writes to the HTML DOM tree. The data lets us write specific behavior signature to detect browser exploit, exploit kits and other browser specific attacks:
Below you find a link to a report which was generated by using the browse cookbook. The browse cookbook visits a webpage inside the sandbox: 

Joe Sandbox 5.0.0 Blackhole Analysis

As you see inside the signature summary section, shellcode has been found and the browser downloads flash and PDF files. In addition large junks of executable memory have been allocated. Further you see that an IFRAME has been injected which then redirects to page which downloads the PDF file, which obviously contains an exploit to drop and register a DLL (wpbt0.dll). If you are browsing through the report and especially the "Browser Activites" section it becomes clear that the malicious behavior is the source of the infamous Black Hole Exploit Kit.

Joe Sandbox 5.0.0 is available for all our standalone and web service customers.