2013
08.11

The last version of Dorothy introduces lots of improvements.

As first, a new analysis mode has been inserted: the manual analysis.
If Dorothy is executed with the -m parameter, it will fetch the malware, copy it in the sandbox, start the sniffer and pause the whole execution flow waiting for the analyst next action. This flow-controller allows the analyst to log into the sandbox (through RDP for example), and prepare it for ad-hoc runtime scenarios. Or simply to “watch” the system’s behavior once the malicious binary is executed. When Dorothy is executed in this way, the multi-threading is obviously disabled, so one malware at time. Finally, while manual analysis, an interactive console will be prompted by allowing the analyst to control the other Dorothy’s modules/actions e.g. Take screenshot, Save the running processes, etc.
I found it very handy for ad-hoc scenarios, or simply for malware analysis presentations/demos.

BTW: The next version of Dorothy will spawn a VNC session, and connect to the sandbox via the VMWare VNC port (in this way, the network sniffer wont see usual RDP traffic).

Next, Dorothy is now able to detect new spawned processes. Its approach is completely off-the-box and relies on the very basic forensic technique: compare the processes in execution with the ones taken during a “baseline” analysis.
The “baseline” analysis is the novelty of this version. During the first configuration of Dorothy the analyst is driven to make the “baseline” of his sandboxes (currently, is supposed that all the sandboxes are the same i.e. same OS, running process).
Once completed, the baseline analysis will create a yaml file into the Dorothy’s folder, with all the processes in execution among all their details e.g. Creation date, exit Code, etc.
In the future, Dorothy may use this technique to calculate also the filesystem modifications (there is already a method coded into its libs).
Thus, a new table has been created into Dorothive in order to store all the processes information. So if you are upgrading Dorothy from a past version, be sure to read the UPDATE file.

Another important improvement introduced is the extensions file. In order to instruct the sandbox about how to execute the fetched binaries, the analyst can now edit the extenions.yml file and decide how to manage them – e.g. Open PDF file with certain version of Acrobat, Execute exe with certain parameters, and so on.

Lastly, lot of improvements have been made to the code, and now is more readable and reliable.

That’s all for the moment, hope you will enjoy the new version of Dorothy!

m4rco-

2 comments so far

Add Your Comment
  1. hey there and thank you for your information – I’ve certainly picked up anything new from right here.
    I did however expertise several technical issues using this website, since I experienced to
    reload the site many times previous to I could get it to load properly.
    I had been wondering if your web hosting is OK? Not that I’m complaining, but slow
    loading instances times will often affect your placement
    in google and can damage your quality score if advertising and marketing with Adwords.
    Anyway I’m adding this RSS to my e-mail and can look out
    for a lot more of your respective exciting content.
    Make sure you update this again very soon.

  2. I would like to thank you for the efforts you have put in writing this site.
    I really hope to check out the same high-grade content by you later on as well.
    In truth, your creative writing abilities has encouraged me to get my own, personal site now ;)

*