Italian Chapter Status Report for 2010

1. Changes in the structure of your organization.
The Chapter was formed in May 2009 around a project called Dorothy which aims at designing and developing a botnnet monitoring and analysis open platform.
Emanuele Goldoni, Pierluca Zangari and Angelo dell’Aera left the chapter during this year.

2. List current chapter members and their activities

  • Marco Riccardi is the Chapter leader and he is currently working as e-Crime researcher at Barcelona Digital. He is mainly involved in the development/improvement of the Dorothy framework.
  • Marco Cremonini is an assistant professor at the University of Milan, where he is currently teaching and researching in the field of security & privacy, economics and complex systems. He is the academic supervisor of students collaborating to the Chapter's activity and scientific advisor for the Chapter.
  • Davide Cavalca is involved in projecting a unique database for the whole Dorothy system (malwares, drones,etc) and he is currenlty working as a security advisor. His work extends the project developed by him during his Laurea Thesis about a Honeynet Infrastructure in Virtualized Environment (HIVE).
  • Luigi D’Amato is currently a CTO at Partner Security Lab and a member of Zone-H. He is providing support to our IT infrastructure and he is actively involved in developing/maintaining our honeynet.

1. List current technologies deployed.

  • The original Dorothy monitoring and analysis framework.
  • Our botnet monitoring tool : the JDrone
  • Low interaction honeypots:
  • mwcollectd
  • nephentes
  • Dionaea
  • SurdIDS for honeypot monitoring.


  • 1. The Dorothy Malware Analysis engine
  • The entire malware analysis engine is currently under re-development.
    The whole code is being ported to Ruby, and the virtualization module is being designed to interact with VMWare ESXi , instead of the original VMWare Fusion.

  • 2.The JDRONE
  • The JDDrone (Java Dorothy Drone) is a Laurea Thesis project started on September 2009 by Andrea Cavenago and Patrizia Martemucci. The project aims to redesign and improve the existing Dorothy drone, leveraging on a multi-platform language like Java. The final purpose is to make the botnet drone as user friendly as possible in order for it to be deployable by several users around the world, and to offer more capabilities than the older one, like a multi-protocol support, a distributed deployment and a secure log management.
    At the same time, the drone infrastructure has to be secure, reliable and scalable. The proposed system is a distributed infrastructure that is able to acquire all the incoming data from different drones in a way to highly preserve data confidentiality.
    Strong encryption is used for maintaining confidentiality between the drone/ server communication, and the anonymity is granted between the drone and the C&C. In addition, each drone is designed to follow the syslog RFC specification for its logging format. This would allow to use any syslog-compatible server to collect the data incoming from the drone.
    Thanks to this new approach on C&C information gathering, the Dorothy system will be able to represent and visualize data in a more efficient way, helping CERTS/ISP/LEO to develop their mitigation process in a timely manner.

  • 3.Improving visualization Techniques
  • Right now we are able to automatically provide different kind of graphs of all the data that we are able to obtain from a botnet. Moreover the usual pies and stacks, we are conducting some tests about using spider(radar) charts to summarize botnet features. Furthermore, we are using linked graphs (using afterglow) to show the network behavior of a malware.
    Although, all these ideas are already developed, they are just PoCs (everything is generated by Unix scripting/Google API right now and they are not so fancy as they should be) we would like to improve these graphs by making them interactive and customizable.
    All the graphs will most probably be created using High Charts (, and new dashboards will be added in the main WGUI including realtime graphs that will represent all the data incoming by our (a tail board will be included, like the one present in the old version of Splunk).

  • 4.Improving the Dorothy web GUI
  • Right now the WGUI is based on some cryptic php+html+ASP code. Therefore, we will have to recode everything using a web 2.0. language in order to improve the real-time-ness of our data. Considering that the entire engine is going to be rewritten in Ruby, the new WGUI will probably be written in Rails.
    Unfortunately, this task is in its initial stages, and nothing is being done right now.

  • 5.Improving the reporting system
  • The Dorothy framework was projected to include a reporting module that could be able to automatically report an incident to anyone responsible of that (ISP, Registrar, LEO, etc).
    However, nothing has been done apart from a couple of bash scripts that send an alert when a known pattern is spotted. The idea is to improve this capability in order to extend Dorothy to a ticketing system that could easily manage and track all these notifications.


1. Highlight any unique findings, attacks, tools, or methods.

2. Any trends seen in the past year?

3. What are you using for data analysis?
We have been designing the Dorothy framework in order to carry out the data analysis as well, especially in a visual manner. However, the final GUI is not yet completed, therefore we are currently using Splunk to analyze the huge amount of data coming from our drones.

4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
Our brand new JDrone is working well, and we are receiving interesting feeds from our first beta. However the central database is still missing, and the development of the new web graphical interface is going to be delayed a little, because we are out of GUI developers at the moment.


1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible).

Marco R. & Marco C. presented a paper about Dorothy at EC2ND (European Conference on Computer Network Defense).

In addition, the Chapter contributed also to the following ENISA reports:

  • Botnets: Measurement, Detection, Disinfection and Defence
    Editor: Dr. Giles Hogben
    Authors: Daniel Plohmann, Elmar Gerhards-Padilla, Felix Leder
  • Botnets: 10 Tough Questions
    Editor: Dr. Giles Hogben
    Authors: Daniel Plohmann, Elmar Gerhards-Padilla, Felix Leder

2. Are you looking for any data or people to help with your papers?
Absolutely! Any help is always welcome.

3. Where did you present honeypot-related material?
Our research was presented at:

  • EC2ND2009- Milan - IT
  • inBot2010 - Bonn - DE
  • SecuritySummit2010 - Milan - IT

Furthermore, a framework for cyber fraud detection and mitigation that relies on Dorothy was presented at the Anti-Phishing Working Group e-Crime summit on Oct 2010 (Dallas) on behalf of Barcelona Digital. The presented paper was prized by APWG&IEEE with an e-Crime Scholarship.


1.Which of your goals did you meet for the past year?
To keep the Chapter up and working was the main one and to maintain an enlarged team around the original Dorothy project was the strictly consequence.
Furthermore, an important goal was aimed to provide full support to any undergraduate students of the UNIMI that wanted to develop their final graduation project on honeypot related technologies.
Up today, thanks to the cooperation with the Università deli Studi di Milano - DTI, we have successfully provided (and still providing) support to several students that are working on Dorothy to improve/optimize its inner functionalities.
Additionally, during the last year we have established collaboration with Telecom Italia, Security Innovation department, with the aim of sharing knowledge about malware evolution.

2. Goals for the next year.
The main tactical goal for the next year is to bring Dorothy to a 24x7dd production environment. The second Dorothy version is close to be finally released, and the new web GUI will be made available as soon as the first data will be correctly collected.
Secondly, one of the strategic goal of our project is to continue the development and deployment of the Dorothy modules (the JDrone as first). Once we will correctly implement all the framework, we believe that sharing of the data gathered during the continuous produced analysis will result and insight into some relevant cases.

For the next year, we are also looking forward to deploying as many honeypots as possible and to connect them to the Malware Collect Alliance repository. Actually we manage just two mwcollectd instances, but we'd like to implement at least 5 low honeypot sensors dislocated among Europe.