Howdy all,
The Italian Chapter is proud to release the latest version of dorothy2 (our ruby-based malware analysis framework) :).
The new features introduced by this versions are severals. A lot of work has been done on the core system, by making the whole system even more modular and customisable. A dummy webgui written in Sinatra has been also introduced, in order to let the analyst able to browse within the results. Binaries can now also be directly uploaded from the web.
A particular attention has been dedicated on the network part: on the sample’s resume page the analyst will now able to download the pcap of every single network flow in order to manually analyse it whenever needed.
This version also introduces the use of the “analysis profiles” which give the researcher the possibility to run analyses on a set of binaries by using different environments (OS versions, sandbox timeout, number of screens, etc). As it is known, some malwares might run only in specific environment and this feature could guarantee the successful execution of those. A CSIRT might also use this feature to test suspicious malwares only against an environment that reflects the one of its customers. Sources can also be configured to be automatically analysed by certain profiles (e.g. use Profile_Windows_30sc for all the binaries retrieved by Kippo_source).
Lastly, Dorothy is now able to fetch binaries also from a mailbox (also if an email is forwarded “As Attachment”). This could be useful for everyone who wants to setup an analysis email sinkhole, and redirects all the incoming SPAM there.

Howdy all,
I’ve the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby.

Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions.
Dorothy is a multi-thread framework: it is able to execute as many concurrent analysis processes as the number of the VMs present in vSphere. So if you have 5 VMs for example, 5 binaries will be analyzed at time, by giving you 5 different output folders containing their network traffic and screenshots accordingly.
It is a very modular framework, and customizing/extending it can be very easy.

Folks,

I would like to inform you all about our recent activities that we are attempting to achieve.

First of all, we have totally rebuilt our web site. This new ones aim to be a central repository of all the (external/internal) news concerning botnets (mainly) and malwares (secondary).
We will use the blog for posting about our project developments, and for commenting/reporting interesting news concerning the field that we are currently treating, so you can now add a new entry to your feeds reader :)
The repository section aims to maintain a complete library of all the publications redacted (by us or others) until today about botnets. Each one can be tagged and classified for giving an easy way for searching what a researcher needs. If you have a paper/doc about botnets, we will be proud to upload it here!
The Dorothy section is the web GUI of the framework developed by me about irc-botnet tracking through interactive visualization. Maybe you have seen it before (I’ve posted the link in this mailing list some months ago), since that I’ve improved the GUI adding a “malwares” task for each C&C, and providing an afterglow graph for each malware and for each C&C .
We are also maintaining a Wiki, here you can find all information about our tools/activities: you are all invited to contribute on it. The wiki has been recently “plugged” with the GUI giving the possibility to create a new page for each C&C, in this way, every researcher can write about his own investigation about it.