I would like to wish you a beautiful christmas ave!
Special wishes to our team, focusly to who is daily devoting its time contributing in our project.
Claudio Guarnieri, Andrea Cavenago, and Patrizia Martemucci recentrly worked hard for developing new modules of Dororthy framework (a malware analysis module, and the new dorothy-drone), really thanks for their support, I wish that during next year they will continue to give their fruitful contribution.

Next year we well back in action,  and relasing the new version of Dorothy (Dorothive) will be the primary project goal. So stay tuned!

Best Regards,




I would like to inform you all about our recent activities that we are attempting to achieve.

First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary).
We will use the blog for posting about our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader 🙂
The repository section aims to maintain a complete library of all the publications redacted (by us or others) until today about botnets. Each one can be tagged and classified for giving an easy way for searching what a researcher needs.  If you have a paper/doc about botnets, we will be proud to upload it here!
The Dorothy section is the web GUI of the framework developed by me about irc-botnet tracking through interactive visualization. Maybe you have seen it before (I’ve posted the link in this mailing list some months ago), since that I’ve improved the GUI adding a “malwares” task for each C&C, and providing an afterglow graph for each malware and for each C&C .
We are also maintaining a Wiki, here you can find all information about our tools/activities: you are all invited to contribute on it. The wiki has been recently “plugged” with the GUI giving the possibility to create a new page for each C&C, in this way, every researcher can write about his own investigation about it.

Then I would like to introduce two new chapter members:  Emanuele Goldoni , and Davide Cavalca.
I’ve ask them to join in our team after reading  their research work regarding a development of an automated  framework for malware analysis and irc/web botnet tracking.
Their  tool “HIVE” is really similar to the ones developed by me , but present a more robust data architecture. Dorothy and HIVE was developed to achieve the same goal, whereas the first ones focus on the visualization methods as its straight point, the second treats the acquisition process in a more engineering manner: the data repository has been designed for being capable for receiving data for a wide sensor deployment.
We are currently defining the details of a possible collaboration between the Information Technology Department of the University of Milan  and the Networking Lab of the University of Pavia (where Emanuele works as researcher) . Both universities are current offering their graduating students for conducting their diploma thesis about the improvement of our framework.  Currently, we are following the work of three students: one is developing a new multiplatform drone for irc botnet tracking, and the others are developing a dedicated framework for malware analysis (static and dynamic).
Currently, me and Davide are developing a new integrated framework (Dorothive) that inherit all the goodness of our previous tools.
Thanks to Davide and Emanuele’s contribution, our chapter is growing fast, they are a very skilled people and they are so motivated as me to make our chapter more interesting as possible: working with them is a real pleasure.

I ask you all to view our new site, for accessing to the private sections (wiki, Dorothy) you need to register.
Currently registrations are not open to the wide public, so if you want an account please let me know and I will provide you one.

Please to give us your  feeds/comments/suggestions/criticisms/anything , we will consider it as a treasure !

Best Regars,



Message Labs' list of top 10 botnets in 2009

via Top 10 botnets and their impact.


A new wave of a Zeus bot (Zbot) variant was spotted taking advantage of Amazon EC2’s cloud-based services for its C&C (command and control) functionalities.

via Zeus “in-the-cloud” – CA Security Advisor Research Blog.


Messages are enticing recipients to visit a webpage proudly displaying the Center for Disease Control logo, from which they can download their ‘H1N1 Vaccine Profile Archive.’ The ‘archive’ is, in reality, the installer program for the Zeus bot, which will place a keylogger on your machine and try to steal your personal data.

via The Zeus botnet strikes again.