07.07
2014

During the last months two of our valuable students from the University of Milan (SSRI) have successfully graduated by basing their final project on dorothy2 and honeypots.

Salvatore Gervino did a very good work (ita) while extending dorothy2 in order to allow it to analyse malicious emails.
The produced code allows Dorothy to process emails containing malicious attachments, and determine if they could be categorised as Phishing.
His code will be soon merged to the next release of dorothy2, stay tuned!

Calogero Lupo as well did an outstanding job (ita) by improving the overall project’s honeypot infrastructure. His work aimed at developing an honeynet based on Kippo by leveraging the powerful and flexible Amazon Web Service (AWS).
His work illustrates how any willing researcher/analyst could easily setup a wide honeynet implemented among several countries around the world…for free!
The results collected are really interesting, and pave the way for further research.

Congratulations to both then, and a big THANK YOU for your incredible support!.

 


 

11.12
2013

The version 1.2.0 of Dorothy has been finally released.
Several issues were fixed, and lot of code improved.
This is a major update because since this version, Dorothy will only run on Ruby 1.9.3. So if you have installed a previous version, please upgrade it because older versions relying on Ruby 1.8.7 won´t be maintained anymore.

Very important new features will be soon introduced with the upcoming versions, like:

-a small Sinatra webfront for interactive analysis resumes (finally!) + some handy API
-VNC connection to the sandbox through the vSphere API during the -m manual mode
-behaviour triggers + escalated analysis (if the indicator X is not found, then run the sample into the VM Y , if it isn’t found neither, go to manual mode)

just to name a few :)

And last but not least, we have now our bug tracking system, so feel free to create an issue whenever something is not working (or for any new features)

Stay tuned!

11.08
2013

The last version of Dorothy introduces lots of improvements.

As first, a new analysis mode has been inserted: the manual analysis.
If Dorothy is executed with the -m parameter, it will fetch the malware, copy it in the sandbox, start the sniffer and pause the whole execution flow waiting for the analyst next action. This flow-controller allows the analyst to log into the sandbox (through RDP for example), and prepare it for ad-hoc runtime scenarios. Or simply to “watch” the system’s behavior once the malicious binary is executed. When Dorothy is executed in this way, the multi-threading is obviously disabled, so one malware at time. Finally, while manual analysis, an interactive console will be prompted by allowing the analyst to control the other Dorothy’s modules/actions e.g. Take screenshot, Save the running processes, etc.
I found it very handy for ad-hoc scenarios, or simply for malware analysis presentations/demos.

BTW: The next version of Dorothy will spawn a VNC session, and connect to the sandbox via the VMWare VNC port (in this way, the network sniffer wont see usual RDP traffic).

Next, Dorothy is now able to detect new spawned processes. Its approach is completely off-the-box and relies on the very basic forensic technique: compare the processes in execution with the ones taken during a “baseline” analysis.
The “baseline” analysis is the novelty of this version. During the first configuration of Dorothy the analyst is driven to make the “baseline” of his sandboxes (currently, is supposed that all the sandboxes are the same i.e. same OS, running process).
Once completed, the baseline analysis will create a yaml file into the Dorothy’s folder, with all the processes in execution among all their details e.g. Creation date, exit Code, etc.
In the future, Dorothy may use this technique to calculate also the filesystem modifications (there is already a method coded into its libs).
Thus, a new table has been created into Dorothive in order to store all the processes information. So if you are upgrading Dorothy from a past version, be sure to read the UPDATE file.

Another important improvement introduced is the extensions file. In order to instruct the sandbox about how to execute the fetched binaries, the analyst can now edit the extenions.yml file and decide how to manage them – e.g. Open PDF file with certain version of Acrobat, Execute exe with certain parameters, and so on.

Lastly, lot of improvements have been made to the code, and now is more readable and reliable.

That’s all for the moment, hope you will enjoy the new version of Dorothy!

m4rco-

02.07
2013

Dorothy2 has been totally developed with Rubymine, a really powerful IDE for Ruby developers.

We have just received a free license for Rubymine thanks to the opensource Jetbrain program,

thank you guys!

10.06
2013

As announced in the HoneynetProject.org blog, Dorothy2 is finally here!

Type “gem install dorothy2″ in your term, or download it from here, and fork the project if you want to contribute.

And don´t forget to blame me for any bug you find :)

 

30.05
2013

Our student Andrea Valerio has just got his Bachelor degree few weeks ago by presenting his great work on recoding the whole Dorothy WGUI module from scratch.

Well done Andrea!

The code will soon be available on this website, and will be included in the next release of the Dorothy2 gem.

His work is summarized in his youtube video (commented in Italian) :

http://www.youtube.com/watch?v=W4DdMYPp4Ws

His Degree’s Final Project is also available here: [pdf]

30.10
2012

[..]The recent feature was christened under the name “Dynamic Config,” a technology implemented in Citadel v1.3.5.1 “Rain Edition” enabling botmasters smoother, quicker interactions with the victim through browser injection technology. Today’s fraud happens in real time, so speed is of the essence. This nifty function allows Trojan operators to create web injections and use them on the fly, pushing them to selected bots without the hassle of pushing/downloading an entire new configuration file.

How does this happen? It’s actually quite simple. Citadel-infected machines are going to have an instruction to reach out to the C&C every 2 minutes and update themselves with a predefined file where injection “packs” will be ready to go. The whole system will be managed by a clever distribution mechanism dictating which injections go to which bot or group of bots. The format will be fully “Zeus-compatible,” of course. [..]

via Citadel V1.3.5.1: Enter the Fort’s Dungeons « Speaking of Security – The RSA Blog and Podcast.

02.07
2012

[..]

Although they did not disclose any specific details about how the so called detection actually works, we could inspect it a bit further. It simply scans through the resources of the currently running processes and looks for specific patterns for instance inside the “CompanyName” field, such like:vmwaresandboxvirtualboxgeswallbufferzonesafespaceNevertheless, the tricky part comes here. When a virtualized environment detected, unlike many other Trojans that stop to work, Citadel will continue to operate, but behaves in a different manner. It will generate a unique-machine dependent domain name obviously fake and tries to connect to this server unsuccessfully, making it to believe that the bot is dead and its command and control server is offline, meanwhile the real C&C domain is kept hidden.

[..]

via S21sec Security Blog: Citadel Updates: Anti-VM and Encryption change.

12.06
2012

The announcement of a new version of Citadel has been recently spotted in a public forum.

The Citadel 1.3.4.5 version adds several interesting features, like an anti-emulator, and a new encryption algorithm based on RC4.

 

[...]

[+] Added antiemulyator, which allows you to protect your botnet on the reversing and getting into trackers. When you start, build a detective that he was running in a virtual machine or a sandbox CWSandbox, VMware, Virtualbox, Sandbox, he starts to behave differently and your botnet go unnoticed. Details were not disclosed, tks announcement is in the Public and the technology is very tricky.

[...]

[+] Since the previous encryption algorithm has been hacked a few months later, because of this, some customers got into ZeusTracker. We have developed and implemented a new encryption algorithm based on modified RC4. In cryptography uses a special key known only to the client. that requires its presence for decryption. Because each client’s own indvidualny key, now from one client will not suffer all the rest. If you got one, others will be protected from this. Now we are completely isolated from the automatic analysis builds. As a result, we obtain the two-level authorization, protection from the boat trackers.

[...]

via Update to Citadel : v.1.3.4.5 | Malwares dont need Coffee.

05.06
2012

The Research page has just been updated with all our recent activities and the results reached so far.

A special thanks to all the graduated student from UNIMI-DTI who have contributed  in our project. Hope to see you again around us guys!