Dorothy 2: A malware/botnet analysis framework
Category : Blog
Dorothy 2 is a malware/botnet analysis framework written in Ruby.
Dorothy 2 is a framework created for suspicious binary analysis. Main strengths of Dorothy are a very flexible modular environment and an interactive investigation framework with a particular care of the network analysis. Additionally, it is able to recognize newly spawned processes by comparing them with a previously created baseline. Static binary analysis and an improved system behavior analysis will be shortly introduced in the next versions. Dorothy 2 analyses binaries by the use of pre-configured analysis profiles.
Dorothy 2 analysis profile is composed of the following elements:
- A certain sandbox OS type
- A certain sandbox OS version
- A certain sandbox OS language
- A fixed analysis timeout (how long to wait before reverting the VM)
- The number of screenshots requested (and the delay between them)
- A list of the supported extensions, and how the guest OS should execute them
The use of profiles gives the researcher the possibility to run analysis on a set of binaries by using different environments. As it is known, some malwares are configured to run only in the specific environment.
The first three modules of Dorothy are publicly released under GPL 2/3 license as tribute to the the Honeynet Project Alliance. All the information generated by the framework – i.e. binary info, timestamps, dissected network analysis.
Dorothy needs the following software:
- VMWare ESX >= 5.0 (tip: if you download ESXi, you can evaluate ESX for 30 days)
- Ruby 1.9.3
- Postgres >= 9.0
- At least one Windows virtual machine
- One unix-like machine dedicated to the Network Analysis Engine(NAM) (tcpdump/ssh needed)
- pcapr-local (only used by doroParser)
- MaxMind libraries (only used by doroParser)
The framework is mainly composed of five modules that can be even executed separately.
- The Binary Fetcher Module (BFM)
- The Dorothy analysis engine
- The (network) Data Extraction Module (old dparser)
- The (dummy) Webgui
- The Java Dorothy Drone
Most Popular Training Courses at Indian Cyber Security Solutions
Cybersecurity services that can protect your company: