Malware Capture Facility CVUT University, Prague, Czech Republic These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia, sebastian.garcia@agents.fel.cvut.cz Vojtěch Uhlíř file.clf Weblogs ======= The weblogs are files similar to the CLF file but with another format. They were generated with these command : justniffer -f -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) - %response.code %response.size %source.port %request.size http://%request.header.host%request.url - %response.time %dest.ip %source.ip %response.header.content-type - %request.header.referer %request.header.user-agent" | awk '{if ($12 ~ /\;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "($9*1000)" "$10" "$11" "substr($12,1,match($12,/\;/)-1)" "$14" "$15" "substr($0,index($0,$16)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "($9*1000)" "$10" "$11" "$12" - "$14" "$15" "substr($0,index($0,$16))}' |awk '{printf "%s %s %s %s %s %s %s %s %.0f %s %s %s %s %s %s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, substr($0,index($0,$16))}' |grep -v "Mb\|rZl" > $1.weblog # The last grep is to avoid some lines with binary data. Sometimes the botnet uses these port but not for http, so we delete them Netflows ======== The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. We are using bidirectional argus records. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ralabel -f ralabel.conf -r file.argus -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled If you need the netflows without the labels, just regenerate them without the ralabel command. Pcap Captures files: The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox. Then, the pcap captures can not be merged. Generic info ------------ Binary used: Nx6tG6.exe|ZtaXE.exe|ndbif.exe Md5: 39bed9ab3ecc1271e8b9bdeda3f79495 Probable Name: Zbot Virustotal link: https://www.virustotal.com/gui/file/a35e05208f29ae9ecc0a093e341d36e1ee05889c3e71a268208159e7918ab61b/detection Our Database info: 39bed9ab3ecc1271e8b9bdeda3f79495,e17ee425ebba7e1b02076035c406334660cb9e65,Nx6tG6.exe|ZtaXE.exe|ndbif.exe,/opt/Malware-Project/malware-to-test/shared-folder/39bed9ab3ecc1271e8b9bdeda3f79495.exe,429000,2013:08:27-17:10:31,none Infected Machines: Windows Name: Win2, IP: 10.0.2.16 (Label: Botnet-V1) Histogram of labels =================== For Win2: -------- 20 From-Botnet-V1-DNS 528 Background-ARP 820 From-Botnet-V1-TCP-Attempt 1254 From-Botnet-V1-TCP-Established 2012 From-Botnet-V1-UDP-Establishedd 3732 From-Botnet-V1-UDP-Attempt 7732 Background Timeline ======== Wednesday 10th July 2013 Periodically requests host in the internet and gets responses on incoming port 15311. Malware tries to connect to a big group of a IP addresses and only a few of them answer. From time to time (2, 7, 4 hours) tries to contact the big group of IPs again. 10th July 2013 TCP: 173.194.70.106 each 30 minutes, checking google.com 173.194.70.94 each 30 minutes, checking google.com UDP: IPs from the big group which send responses: 194.94.127.98 30 minutes UDP connections, encrypted 66.235.184.138 30 minutes UDP connections, encrypted 66.36.230.86 30 minutes UDP connections, encrypted 66.148.64.18 30 minutes UDP connections, encrypted 195.169.125.228 30 minutes UDP connections, encrypted 62.5.128.33 60 minutes UDP connections, encrypted 66.36.230.86 30 minutes UDP connections, encrypted Thu Jul 11 13:32:41 CEST 2013 There are no changes in the traffic, malware keeps connecting during short periods of time to the IP address listed above and they reply. In a larger period of time it tries to send request to a bigger amount of IP addresses which doesnt reply. No actual change in behavior Sat Jul 13 12:19:57 CEST 2013 No changes. I'm stopping it.