Sysenter Chapter Status Report 2013


The Sysenter Chapter was founded in August 2010 and currently consists of the following people:

  • Angelo Dell'Aera
  • Andrea De Pasquale
  • Charlie Hurel
  • Gianluca Guida
  • Guido Landi
  • Patrik Lantz
  • Pietro Delsante
  • Roberto Tanara
  • Yuriy Khvyl

The Chapter members are interested in research projects covering the following topics:

  • Automated botnet tracking
  • Low-interaction client honeypots
  • Automated malware collection and analysis systems
  • Distributed honeynet deployment, operation and data analysis
  • Intrusion detection
  • Reverse engineering
  • Mobile malware analysis
  • Virtualization
  • Computer forensics


  • We finalized the deployment of an instance of CuckooBox with a large set of virtual machines, with custom analyzer modules that should help us tracking the latest Infostealer menaces (Citadel, Ice IX, Murofet, Zeus, SpyEye, etc). We also contributed to the development of Cuckoo 1.0 with several commits.
  • We have deployed several Honeeebox sensors. Recorded attacks and malware samples are submitted to HPFeeds.
  • We have deployed a Splunk instance to collect and monitor HPFeeds data and started the evaluation of some visualization modules.


  • We are currenty developing Thug, a Python low-interaction honeyclient. Moreover we are currently planning developing Thug plugins for PDF and JAR analysis.
  • We are current developing Buttinsky, a botnet monitoring tool. The project was selected for the second round of Rapid7 Magnificent7 program. Some documentation and what steps we want to take next are listed here. The main feature we would like to implement in the next future is about the possibility to infer the message format and state machine using machine learning of an unknown protocol. 
  • We improved Droidbox, an Android application sandbox.
  • We improved TIP (Tracking Intelligence Project), an information gathering framework whose purpose is to autonomously collect, correlate and analyze data useful for understanding Internet threat trends.
  • We improved Pylibemu, a Libemu wrapper written in Cython.
  • We are strictly monitoring the development of the ZeuS malware variants appeared after the release of the source code of ZeuS Citadel, Ice IX, Murofet and several other custom variants with a smaller media impact but with new interesting features added.
  • We studied some new samples of mobile malware and some new exploit kits serving APKs instead of regular PE executables


We held a lecture on Android dynamic analysis and specifically DroidBox during UbiCrypt (reverse-engineering summer school) hosted by Ruhr-Universität Bochum and Thorsten Holz research group. This also gave us the opportunity to promote GSoC and The Honeynet Project for the students.

Moreover we were frequently engaged for educational presentations or for teaching university classes on new emerging threats-related topics.


In 2014 we would like to continue improving the tools we have already released (see Section "Research and Development" for further details).


  • We are currently leading the Forensic Challenge organization efforts.
  • We are currently involved in maintaining the Honeynet Project infrastructure.