The Italian Honeynet Chapter

Status Report

Agenda

• The Italian HP chapter• Goals achieved• Ongoing progress• Expected goals• 3D-Problems• Conclusion

The Italian HP Chapter

• Founded in 2009• Built around the Dorothy project– A framework for tracking botnets

• Currently composed by 4 volounteers– Marco Riccardi : R&D Researcher @ Barcelona Digital– Marco Cremonini : Assistant Professor @ University of

Milan – Davide Cavalca : Information Security Advisor , Freelancer – Luigi D’Amato : CTO @ Partner Security Lab / Member @

Zone-H

Goals achieved during 2010

Goals achieved 1/3

• Java Dorothy Drone Improvement (JDrone)– Tool for (IRC) botnet infiltration – Totally rewritten in Java • totally multiplatform

– yes, even on windows!

– Distribuited infrastructure• Distribuited drone instances• One central Log Server• One Authentication server

The JDrone

• how does it work?

C&C #1 C&C #2

JD-DroneAuthentication Server

JDDroneLog Server

C&CIP: 11.11.11.11:6666Command#1Command#2Command#3

C&CIP: 11.11.11.11:6666Command#1Command#2Command#3

JD-Drone

Dorthy Web GUI

Goals achieved 2/3• Relationship formed

– Telecom Italia, Security Lab (Honeypot implementation, knoledge sharing)

– Barcelona Digital (Server hosting, knowledge sharing)• Graduating student support

– Five graduating students of the University of Milan (DTI) are currently doing their final Thesis on Dorothy related sub-projects.• The JDrone Project - Patrizia Martemucci, Andrea Cavenago • Botnet Protocol Analysis - Marco Addario – 04/2011• Zeus analysis/detection module - Giampaolo Dedola – 02/2011 • Low-Interaction Honeypot Implementation - Stefano Fornara – Stage in

Telecom Italia Labs – 04/2011

Goals achieved 3/3• Attended confereces

– Italian Security Summit 2010, Milan, IT– inBot 2010, Bonn, DE– APWG 2010, Dallas, USA* (paper presented)

• Two IEEE publications– “The Dorothy Project: An Open Botnet Analysis Framework for Automatic Tracking and Activity

Visualization” - Cremonini M., Riccardi M.– “A framework for financial botnet analysis” - Riccardi M., Cremonini M., Oro D.,Vilanova M., Luna J.

• Awards:• Second placed at “Best italian thesis on information security” Clusit 2010• “IEEE eCrime Fighters Scholarship Award”, APWG 2010*

*Paper presented by Barcelona Digital. However the proposed system heavly relies on a customized version of Dorothy.

Ongoing progress

Ongoing progress 1/2

• Porting to Ruby – (+ Rails ...I wish..)

• Porting the virtualization module to VMWare ESXi

• Testing the first beta of the JDrone– any volounteers for betatesting?

• Compatibility with HTTP botnets (Zeus+SpyEye as first) – For Zeus 1.x almost done

Ongoing progress 2/2

• Database migration to Postgres - almost done

• Improving visualization techniques (FlashCharts) – almost done

• Improving the Web GUI– Improving “real time” data visualization (AJAX)– Improving its interactiveness– ...still waiting to kick off this task

Future Goals

“ What are we going to do tonight, Brain?”

Tactical goals

• Tool improvements– Implement the new Dorothy framework

• Finish the database implementation• Finish the ruby porting phase • Finish the new visualization module• Execute Dorothy 24hx7d

– Relase the first beta of the JDRONE• Honeypot Implementation– Implement at least 10 new low interaction honeypots

(dionaea+mwcollectd) among USA, EU, ASIA

Strategic goals• Presentations

• 2011 – Honeynet Project Annual workshop – Paris (Done! )• Presentation about the JDRone as soon as a stable version is relased• …as more than possible!

• Publications• One about data gathered from the new version of the framework

(JDrone included)• ….others will depend on the development progress

• Improve relationships • Italian/Spanish universities • Italian/Spanish CERTS• Italian/Spanish LEAs

3D-Problems

00.5

11.5

22.5

33.5

44.5

5

3D-Problems– Resources($)

• Dorothy needs a big server for its malware analysis module– After 3 years, finally we found it!

– Time (dT)• The big majority of the people involved are currently working

for private companies (even the graduating students)... • The whole project is totally developed during spare time (very

low!) – Space (dS)

• 4 members, 4 cities, 4 companies, 3 countries• Coordination lack

Slow development

Conclusion

• Almost two years of development– So far so good…

• Ongoing work– Dorothy improvement, second version close to be

relased• Expectations– Clear and concrete goals

• Problems– Our 3D problem vision

Lets - Demo!

• The Dorothy WGUI• The JDRone

Questions?

Thank you

• marco riccardi – marco.riccardi@honeynet.it– mriccardi@bdigital.org– skype: m4rco-

• Website: – www.honeynet.it