1. Changes in the structure of your organization.
The Chapter was formed in May 2009 around a project called Dorothy which aims at designing and developing a botnnet monitoring and analysis open platform.
No changes since last year.
2. List current chapter members and their activities
1. List current technologies deployed.
RESEARCH AND DEVELOPMENT
During 2011 the Italian Chapter has been mainly involved in improving the Dorothy framework, especially the Virtualization Module, the Network Analysis Module, and the Java Drone, which had finally reached its second stable version.
The Chapter has been continuing in mentoring graduating student from the Technologic Department of Univertitá di Milano, by leading their work and research on botnet related projects. During this year, four students successfully accomplished their final year projects by heavily contributing to the overall Chapter progress.
Thanks to their work, a collaboration with Telecom Italia, Security Innovation department, has been established with the aim of sharing knowledge about malware evolution.
Progress details follow
Mentored Final degree Projects @ UNIMI
An overview of the communication protocols used by botnets (ITA).
Develompent of a drone for Zeus 1.x botnets (ITA)
Implementation of SURFids for monitoring and analyzing honeypot data. The work has been mentored by Telecom Italia, Security Innovation department (ITA)
Improvement of the Java Dorothy Drone (ENG).
All the projects are available here.
The Dorothy Malware Analysis engine
The development of the new version of Dorothy is still on going. During 2011 the virtualization module has been completely ported do VMWare ESxi, and pcapr-local has been used for the new Network Analysis Module. Actually the entire framework stores its data between the pcapr database (MongoDB) and a Postgres server.
The JDDrone (Java Dorothy Drone) is a project that aims to redesign and improve the existing Dorothy drone, leveraging on a multi-platform language like Java. The final purpose is to make the botnet drone as user friendly as possible in order for it to be deployable by several users around the world, and to offer more capabilities than the older one, like a multi-protocol support, a distributed deployment and a secure log management.
At the same time, the drone infrastructure has to be secure, reliable and scalable. The proposed system is a distributed infrastructure that is able to acquire all the incoming data from different drones in a way to highly preserve data confidentiality.
Strong encryption is used for maintaining confidentiality between the drone/ server communication, and the anonymity is granted between the drone and the C&C. In addition, each drone is designed to follow the syslog RFC specification for its logging format. This would allow to use any syslog-compatible server to collect the data incoming from the drone.
Thanks to this new approach on C&C information gathering, the Dorothy system will be able to represent and visualize data in a more efficient way, helping CERTS/ISP/LEO to develop their mitigation process in a timely manner.
During 2011, thanks to a joint effort between Domenico Chiarito (graduating student) and Patrizia Martemucci (main coder), the JDrone resource management has been completely reviewed. Now, a Postgres server manages the resources of the JDrone-Authentication Server, and of the JDrone-Log Server too. In this manner, every connection to certain C&Cs is managed by a relational DB that keeps care of managing several connection constraints i.e. One C&C-IRC-Profile -> One JDrone-Client, by locking its resources accordingly.
During the first quarter of 2012, thanks to Marco Doldi and Giampaolo Dedola (graduating students), the JDrone has been equipped with a module that allows Zeus (v.2.0.x) C&C infiltration too.
1. Highlight any unique findings, attacks, tools, or methods.
2. Any trends seen in the past year?
3. What are you using for data analysis?
We are currently using VMWare ESXi for malware sandboxing, and Splunk for analyzing all the data coming from our JDrones.
4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
Our new JDrone 2.0 is working well, but until the new malware analysis module wont be up&running, we'll really need to find some active C&C profiles in other ways.
The new visualization module/WebGUI is still missing, but it will be the main goal for 2012.
PAPERS AND PRESENTATIONS
1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible).
2. Are you looking for any data or people to help with your papers?
3. Where did you present honeypot-related material?
Our research was presented at:
1.Which of your goals did you meet for the past year?
To keep the Chapter up and working was the main one and to maintain an enlarged team around the original Dorothy project was the strictly consequence.
Furthermore, an important goal was aimed to provide full support to any undergraduate students of the UNIMI that wanted to develop their final graduation project on honeypot related technologies.
Up today, thanks to the cooperation with the Università deli Studi di Milano - DTI, we have successfully provided (and still providing) support to several students that are working on Dorothy to improve/optimize its inner functionalities.
Additionally, during this year we have keep strong our collaboration with Telecom Italia, Security Innovation department, with the aim of sharing knowledge about malware evolution.
2. Goals for the next year.
The main tactical goal for the next year is still the one of the last year: to bring Dorothy to a 24x7dd production environment. The second Dorothy version is close to be finally released (really!), and the new web GUI will be made available as soon as the first data will be correctly collected.
Secondly, JDrone is our next technology that we would like to see in production as soon as possible. It has finally reached its second stable version, and now only a deep testing phase is missing (we are looking for volunteers!)
For the next year, we are also looking forward to deploying as many honeypots as possible and to connect them the hpfeed repository.
The Italian project will continue to freely provide support to any Italian .gov institutions (or national ISP) about honeypot implementation and cyber attacks notification.