almost done - The Italian Honey Project

peruvianwageslaveInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 4 χρόνια και 4 μήνες)

343 εμφανίσεις

The
Italian

Honeynet Chapter


Status Report

Agenda


The
Italian HP chapter


Goals
achieved


Ongoing progress


Expected goals


3D
-
Problems


Conclusion


The Italian HP Chapter


Founded in 2009


Built
around the Dorothy
project


A
framework
for tracking botnets


Currently composed by 4 volounteers


Marco Riccardi

: R&D Researcher @ Barcelona Digital


Marco Cremonini

: Assistant Professor @ University of
Milan


Davide Cavalca

: Information Security Advisor ,
Freelancer


Luigi D’Amato

: CTO @ Partner Security Lab / Member
@ Zone
-
H




Goals
achieved during 2010

Goals achieved 1/3


Java Dorothy Drone Improvement (JDrone)


Tool for (IRC) botnet infiltration


Totally rewritten in Java


totally multiplatform


yes, even on windows!


Distribuited infrastructure


Distribuited drone instances


One central Log Server


One Authentication server

The JDrone


how does it work?

C&C #1

C&C #2



JD
-
Drone

Authentication Server


JDDrone

Log Server






C&CIP:
11.11.11.11:666
6

Command#1

Command#2

Command#3











C&CIP:
11.11.11.11:666
6

Command#1

Command#2

Command#3






JD
-
Drone

Dorthy Web GUI

Goals achieved 2/3


Relationship

formed


Telecom
Italia,
Security
Lab

(
Honeypot

implementation
,

k
noledge sharing)


Barcelona Digital (Server hosting,
knowledge

sharing
)


Graduating

student

support


Five

graduating

students

of the
University

of

Milan (DTI)
are
currently

doing

their

final Thesis
on Dorothy
related

sub
-
projects.


The JDrone Project
-

Patrizia Martemucci, Andrea Cavenago


Botnet Protocol Analysis
-

Marco Addario


04/2011


Zeus analysis/detection module
-

Giampaolo Dedola


02/2011


Low
-
Interaction Honeypot Implementation
-

Stefano Fornara


Stage in Telecom Italia Labs


04/2011

Goals achieved 3/3


Attended confereces


Italian Security Summit 2010
, Milan, IT


inBot 2010, Bonn, DE


APWG 2010,

Dallas, USA*
(paper presented)




Two IEEE publications



The Dorothy Project: An Open Botnet Analysis Framework for Automatic Tracking and Activity
Visualization


-

Cremonini M., Riccardi M.



A framework for financial botnet analysis

-

Riccardi M., Cremonini M., Oro D.,Vilanova M.,
Luna J.



Awards:


Second placed at “Best italian thesis on information security” Clusit 2010



IEEE eCrime Fighters Scholarship Award

, APWG 2010*


*Paper presented by Barcelona Digital. However the proposed system heavly relies on a customized
version of Dorothy.

Ongoing progress

Ongoing
progress 1/2


Porting to Ruby


(+ Rails ...I wish..)


Porting the virtualization module to VMWare
ESXi


Testing the first beta of the JDrone


any volounteers for betatesting?


Compatibility
with HTTP
botnets
(Zeus+
SpyEye
as first)


For Zeus 1.x almost done


Ongoing
progress 2/2


Database
migration to
Postgres
-

almost done



Improving visualization techniques
(FlashCharts
)


almost done



Improving the Web GUI


Improving “
real time”

data visualization (AJAX)


Improving its interactiveness


...still waiting to kick off this task




Future
Goals




What are we going to do tonight, Brain?”

Tactical goals


Tool improvements


Implement the new

Dorothy
framework


Finish the database implementation


Finish the ruby porting phase


Finish the new visualization module


Execute Dorothy 24hx7d



Relase the
first
beta of the JDRONE


Honeypot Implementation


Implement at least
10 new
low interaction honeypots
(dionaea+mwcollectd) among USA, EU, ASIA



Strategic goals


Presentations


2011


Honeynet Project Annual workshop


Paris (Done!


)


Presentation

about the
JDRone as soon as a stable version is
relased


…as more than possible!


Publications


One about

data gathered from the
new version of the
framework
(JDrone included)



.others will depend on the development progress


Improve relationships



Italian/Spanish
universities



Italian/Spanish
CERTS



Italian/Spanish LEAs



3D
-
Problems

3D
-
Problems


Resources(
$)


Dorothy needs a big server for its malware analysis module


After 3 years, finally we found it!




Time (dT
)


The big majority of the people involved are currently
working for private companies (even the graduating
students)...


The whole project is totally developed
during spare time
(very low!
)



Space (dS)


4 members, 4 cities, 4 companies,

3
countries


Coordination lack


Slow
development


Conclusion


Almost two years of development


So far so good…


Ongoing work


Dorothy improvement, second version close to be
relased


Expectations


Clear and concrete goals


Problems


Our 3D problem vision

Lets
-

Demo!


The Dorothy WGUI


The JDRone

Questions?

Thank you


marco riccardi


marco.riccardi@honeynet.it


mriccardi@bdigital.org


skype: m4rco
-



Website:


www.honeynet.it