On next Tuesday (October 19) I’m going to present a research in progress paper that I wrote with the e-Crime team of Barcelona Digital and Marco Cremonini from Department of Information Technology of the Università degli Studi di Milano.

The title of our paper is “A Framework For Financial Botnet Analysis”  and will be presented at the Anti Phishing Working Group (APWG) conference that this year will be held in Dallas.  Our work  represents a research study that is still in progress that is  based on developing new detection and mitigation strategies to cope with financial botnets.

The proposed research partially relies on a customized version of the Dorothy Framework by improving its overall development status. The Italian Chapter of the Honeynet Project is proud to see that its work is going to be useful also for such purpose, and this publication will encourage its future research.


Some blogs, stories, and white papers that covered SpyEye have been released but none of them really talked about the interface and how criminals may be using it.

The actual interface is broken down into two components. The first component is the front-end interface called “CN 1” or “Main Access Panel.” This interface is where the bot master can interact with the bots. It shows statistics in relation to infected machines.

The second interface is more like the back end and is called “SYN 1” or “Formgrabber Access Panel.” This interface actually collects and logs data. Moreover, it also allows the bot master to make queries against the collected data and to view the stolen data through the interface. In this post, the first one in a two-post series, we will first look at CN 1 and how it may be used.


via The SpyEye Interface, Part 1: CN 1 | Malware Blog | Trend Micro.


The Internet Engineering Task Force IETF approved a customized version of the XML-based Instant Object Description Exchange Format IODEF. Extensions have been added to it that are appropriate for creating standard e-crime reports.

The format allows for unambiguous time stamps, support for different languages and a feature to attach samples of malicious code. It solves the problem facing the security industry of inconsistent reports, which make it harder to spot trends and react faster. [..]

via IETF approves e-crime reporting format – Computerworld.