The Italian Honeynet Chapter Status Report 2011

ORGANIZATION
1. Changes in the structure of your organization.
The Chapter was formed in May 2009 around a project called Dorothy which aims at designing and developing a botnnet monitoring and analysis open platform.

No changes since last year.

2. List current chapter members and their activities

  • Marco Riccardi is the Chapter leader and he is currently working as e-Crime researcher at Barcelona Digital. He is mainly involved in the development/improvement of the Dorothy framework.
  • Marco Cremonini is an assistant professor at the University of Milan, where he is currently teaching and researching in the field of security & privacy, economics and complex systems. He is the academic supervisor of students collaborating to the Chapter's activity and scientific advisor for the Chapter.
  • Davide Cavalca is involved in projecting a unique database for the whole Dorothy system (malwares, drones,etc) and he is currenlty working as a security advisor. His work extends the project developed by him during his Laurea Thesis about a Honeynet Infrastructure in Virtualized Environment (HIVE).
  • Luigi D’Amato is currently a CTO at Partner Security Lab and a member of Zone-H. He is providing support to our IT infrastructure and he is actively involved in developing/maintaining our honeynet.

DEPLOYMENTS
1. List current technologies deployed.

  • The original Dorothy monitoring and analysis framework.
  • Our botnet monitoring tool : the JDrone
  • Low interaction honeypots:
    Dionaea+hpfeed (Ubuntu)
    Dionaea+hpfeed (honeeebox)
  • SurdIDS for honeypot monitoring.

RESEARCH AND DEVELOPMENT
During 2011 the Italian Chapter has been mainly involved in improving the Dorothy framework, especially the Virtualization Module, the Network Analysis Module, and the Java Drone, which had finally reached its second stable version.
The Chapter has been continuing in mentoring graduating student from the Technologic Department of Univertitá di Milano, by leading their work and research on botnet related projects. During this year, four students successfully accomplished their final year projects by heavily contributing to the overall Chapter progress.
Thanks to their work, a collaboration with Telecom Italia, Security Innovation department, has been established with the aim of sharing knowledge about malware evolution.

Progress details follow

Mentored Final degree Projects @ UNIMI

  • Botnet Protocol Analisys – Marco Addario
  • An overview of the communication protocols used by botnets (ITA).

  • Analisi della Botnet Zeus 2.0.8.9 e integrazione del modulo di monitoraggio in JDrone – Marco Doldi
  • Develompent of a drone for Zeus 1.x botnets (ITA)

  • Un'Ordinaria Giornata di Attacchi Informatici - Rilevamento, Monitoraggio e Analisi con Sistemi di Honeypot e SURFids – Stefano Fornara
  • Implementation of SURFids for monitoring and analyzing honeypot data. The work has been mentored by Telecom Italia, Security Innovation department (ITA)

  • JDrone 2.0 The evolution of the Dorothy’s Botnet Infiltration Module – Domenico Chiarito
  • Improvement of the Java Dorothy Drone (ENG).

    All the projects are available here.

The Dorothy Malware Analysis engine
The development of the new version of Dorothy is still on going. During 2011 the virtualization module has been completely ported do VMWare ESxi, and pcapr-local has been used for the new Network Analysis Module. Actually the entire framework stores its data between the pcapr database (MongoDB) and a Postgres server.
The JDRONE
The JDDrone (Java Dorothy Drone) is a project that aims to redesign and improve the existing Dorothy drone, leveraging on a multi-platform language like Java. The final purpose is to make the botnet drone as user friendly as possible in order for it to be deployable by several users around the world, and to offer more capabilities than the older one, like a multi-protocol support, a distributed deployment and a secure log management.
At the same time, the drone infrastructure has to be secure, reliable and scalable. The proposed system is a distributed infrastructure that is able to acquire all the incoming data from different drones in a way to highly preserve data confidentiality.
Strong encryption is used for maintaining confidentiality between the drone/ server communication, and the anonymity is granted between the drone and the C&C. In addition, each drone is designed to follow the syslog RFC specification for its logging format. This would allow to use any syslog-compatible server to collect the data incoming from the drone.
Thanks to this new approach on C&C information gathering, the Dorothy system will be able to represent and visualize data in a more efficient way, helping CERTS/ISP/LEO to develop their mitigation process in a timely manner.
During 2011, thanks to a joint effort between Domenico Chiarito (graduating student) and Patrizia Martemucci (main coder), the JDrone resource management has been completely reviewed. Now, a Postgres server manages the resources of the JDrone-Authentication Server, and of the JDrone-Log Server too. In this manner, every connection to certain C&Cs is managed by a relational DB that keeps care of managing several connection constraints i.e. One C&C-IRC-Profile -> One JDrone-Client, by locking its resources accordingly.
During the first quarter of 2012, thanks to Marco Doldi and Giampaolo Dedola (graduating students), the JDrone has been equipped with a module that allows Zeus (v.2.0.x) C&C infiltration too.

FINDINGS

1. Highlight any unique findings, attacks, tools, or methods.
None

2. Any trends seen in the past year?
None

3. What are you using for data analysis?
We are currently using VMWare ESXi for malware sandboxing, and Splunk for analyzing all the data coming from our JDrones.

4. What is working well, and what is missing, what data analysis functionality would you like to see developed?
Our new JDrone 2.0 is working well, but until the new malware analysis module wont be up&running, we'll really need to find some active C&C profiles in other ways.
The new visualization module/WebGUI is still missing, but it will be the main goal for 2012.

PAPERS AND PRESENTATIONS

1. Are you working on or did you publish any papers or presentations, such as KYE or academic papers? If yes, please provide a description and link (if possible).

None

2. Are you looking for any data or people to help with your papers?

None

3. Where did you present honeypot-related material?
Our research was presented at:

  • The Annual Honeynet Workshop 2011 – Paris -FR

GOALS

1.Which of your goals did you meet for the past year?
To keep the Chapter up and working was the main one and to maintain an enlarged team around the original Dorothy project was the strictly consequence.
Furthermore, an important goal was aimed to provide full support to any undergraduate students of the UNIMI that wanted to develop their final graduation project on honeypot related technologies.
Up today, thanks to the cooperation with the Università deli Studi di Milano - DTI, we have successfully provided (and still providing) support to several students that are working on Dorothy to improve/optimize its inner functionalities.
Additionally, during this year we have keep strong our collaboration with Telecom Italia, Security Innovation department, with the aim of sharing knowledge about malware evolution.

2. Goals for the next year.
The main tactical goal for the next year is still the one of the last year: to bring Dorothy to a 24x7dd production environment. The second Dorothy version is close to be finally released (really!), and the new web GUI will be made available as soon as the first data will be correctly collected.
Secondly, JDrone is our next technology that we would like to see in production as soon as possible. It has finally reached its second stable version, and now only a deep testing phase is missing (we are looking for volunteers!)
For the next year, we are also looking forward to deploying as many honeypots as possible and to connect them the hpfeed repository.
The Italian project will continue to freely provide support to any Italian .gov institutions (or national ISP) about honeypot implementation and cyber attacks notification.

MISC ACTIVITIES
NA