Howdy all,
The Italian Chapter is proud to release the latest version of dorothy2 (our ruby-based malware analysis framework) :).
The new features introduced by this versions are severals. A lot of work has been done on the core system, by making the whole system even more modular and customisable. A dummy webgui written in Sinatra has been also introduced, in order to let the analyst able to browse within the results. Binaries can now also be directly uploaded from the web.
A particular attention has been dedicated on the network part: on the sample’s resume page the analyst will now able to download the pcap of every single network flow in order to manually analyse it whenever needed.
This version also introduces the use of the “analysis profiles” which give the researcher the possibility to run analyses on a set of binaries by using different environments (OS versions, sandbox timeout, number of screens, etc). As it is known, some malwares might run only in specific environment and this feature could guarantee the successful execution of those. A CSIRT might also use this feature to test suspicious malwares only against an environment that reflects the one of its customers. Sources can also be configured to be automatically analysed by certain profiles (e.g. use Profile_Windows_30sc for all the binaries retrieved by Kippo_source).
Lastly, Dorothy is now able to fetch binaries also from a mailbox (also if an email is forwarded “As Attachment”). This could be useful for everyone who wants to setup an analysis email sinkhole, and redirects all the incoming SPAM there.

Howdy all,
I’ve the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby.

Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions.
Dorothy is a multi-thread framework: it is able to execute as many concurrent analysis processes as the number of the VMs present in vSphere. So if you have 5 VMs for example, 5 binaries will be analyzed at time, by giving you 5 different output folders containing their network traffic and screenshots accordingly.
It is a very modular framework, and customizing/extending it can be very easy.

We where glad to announce yet another tool during our annual workshop in San Francisco. Glaspot is the third version of the web application honeypot Glastopf and it come with some very powerful new features:

• A build-in PHP sandbox for code injection emulation, allowing us to bring vulnerability emulation to a new level
• Hooked up to the HPFeeds generic data feed system for centralized data collection and tight integration into our sandbox and web server botnet monitoring system
• Modular implementation: Turn your web application into a honeypot with a few easy steps
• Runs in his own lightweight Python server or as a WSGI module in common web server environments
• Automated attack surface generation and expansion

In the next three months we are working on even more exciting new features and a much stronger integration into our web thread analysis platform.
Additionally Phani Vadrevu got accepted as a Google Summer of Code student to help us with additional improvements like request classification based on attacker profiling, hardening the internal sandbox and extending the attack surface. Details can be found in his project description: Glastopf Improvements.

Beta version is out and the install instructions are available at the project webpage. The new features are:

• • Prevent some emulator evasion techniques
• • Added visualization of analysis results
• • Automated app installation and execution
• • Displaying analysis information about the APK
• • Static pre-check extracts the app’s registered Intents

The following figures show the new visualization added to the beta version.

Image to the left is a PoC for classifying malwares and their similarity. The second image should assist in the analysis to learn in which order operations are performed. The timestamp is relative to the analysis starting time and operation details can then be located in the analysis output.

The Android application sandbox is now ready for an alpha release. Details on how to get DroidBox running are available at the project webpage.

At the moment, the following actions are logged during runtime:

• File read and write operations
• Cryptography API activity
• Opened network connections
• Outgoing network traffic
• Information leaks through the following sinks: network, file, sms
• Attempts to send SMS
• Phone calls that have been made

An analysis output looks like the following sample report:

One of the very first Android malwares, Geinimi has been analyzed in the application sandbox DroidBox that is currently being developed. The project is part of GSoC 2011 in collaboration with Honeynet and as a master thesis. The Geinimi application uses DES encryption, and it’s possible to uncrypt statically the content, see picture below.

But it’s very easy to do that because the key is not well hidden, so an approach by using dynamic analysis will be more interesting with complex samples. This first real-world sample analysis was carried out to specifically test the crypto API logging.