Index of /publicDatasets/CTU-Malware-Capture-Botnet-3

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]2013-08-20_capture-win15.biargus2013-10-03 09:58 1.6G 
[   ]2013-08-20_capture-win15.netflow2013-10-03 10:00 1.1G 
[   ]2013-08-20_capture-win15.binetflow2021-01-18 15:56 745M 
[   ]2013-08-20_capture-win15.pcap2013-12-06 13:56 409M 
[   ]2013-08-20_capture-win15.biargus.22014-09-22 10:44 134M 
[   ]2013-08-20_capture-win15.clf2013-10-03 10:01 125M 
[   ]2013-08-20_capture-win15.weblog2013-10-03 10:01 36M 
[   ]2013-08-20_capture-win15.rrd2014-09-22 10:46 8.0M 
[   ]dns.names.uniq22013-08-12 17:03 1.0M 
[   ]tdPTU02.exe.zip2015-12-16 10:28 275K 
[IMG]2013-08-20_capture-win15.png2014-09-22 10:49 170K 
[   ]2013-08-20_capture-win15.dnstop2021-01-18 15:42 23K 
[   ]argus_bi.conf2013-10-03 09:56 20K 
[   ]ralabel-data.conf2021-01-18 15:44 19K 
[   ]ralabel.conf2013-10-03 09:57 6.0K 
[   ]ralabel-datasets.conf2021-01-18 15:44 6.0K 
[   ]2013-08-20_capture-win15.tcpdstat2021-01-18 15:44 4.3K 
[TXT]README.html2021-01-18 15:56 3.8K 
[TXT]README.md2013-10-03 13:00 3.4K 
[   ]ra.conf.analysis2013-10-03 10:01 2.0K 
[   ]ra.conf.publish2013-10-03 09:58 2.0K 
[   ]2013-08-20_capture-win15.capinfos2021-01-18 15:44 1.2K 
[   ]ralabel-flowfilter.conf2013-10-03 09:56 600  
[   ]2013-08-20_capture-win15.histogram2013-10-03 10:03 255  
[DIR]suricata/2021-01-18 15:44 -  
[DIR]bro/2021-01-18 15:44 -  

Malware Capture Facility CVUT University, Prague, Czech Republic

These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia, sebastian.garcia@agents.fel.cvut.cz Vojtech Uhliƙ <vojtech.uhlir@agents.fel.cvut.cz

Disclaimer: You are free to use these files as long as you reference this project and the authors. #########################

Weblogs

The weblogs were generated with these command : justniffer -f $1 -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) %dest.port %response.code %response.size %source.port %request.size http://%request.header.host%request.url %connection.time %dest.ip %source.ip %response.header.content-type %request.header.referer %request.header.user-agent" |awk '{if ($11 ~ /;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($81000)" "$9" "$10" "substr($11,1,match($11,/;/)-1)" "$13" "$14" "substr($0,index($0,$15)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($81000)" "$9" "substr($0,index($0,$10))}'|awk '{printf "%.3f %s %s %s %s %s %s %.0f %s %s", $1, $2, $3, $4, $5, $6, $7, $8, $9, substr($0,index($0,$10))}'|grep -v "Mb|rZl" > $FILE.weblog # The last grep is to avoid some lines with binary data. Sometimes the botnet uses these port but not for http, so we delete them # The last grep is to avoid some lines with binary data. Sometimes the botnet uses these port but not for http, so we delete them The last grep is to avoid some lines with binary data. Sometimes the botnet uses these port but not for http, so we delete them

Netflows

The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ra -F ra.conf -Z b -nr file.argus -w - |ralabel -f ralabel.conf -r - -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled

If you need the netflows without the labels, just regenerate them without the ralabel command.

Distribution of labels

104530 From-Botnet-V1-SPAM 1972733 From-Botnet-V1-TCP-Attempt 46215 From-Botnet-V1-UDP 53596 From-Botnet-V1-TCP-Established 758181 From-Botnet-V1-DNS 1117623 Background

Generic info

Binary used: tdPTU02.exe (md5 bb99fa3473960eb3a8ddc214af23b220) Probable Name: Kelihos VirusTotal link: https://www.virustotal.com/en/file/59ea583b2a56a72a16b9cecfd88d9507a61ac6db5b8947b6e43da272eaa41a9a/analysis/1376577717/

Infected Machines: Windows Name: Win15, IP: 10.0.2.29 (Label: Botnet-V1)

Pcap Captures files: The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox.

Time Line

Sun Jul 21 14:47:38 CEST 2013 started the vm

Sun Jul 21 14:49:13 CEST 2013 Infected win15

Small research was done for this kind of malware according the md5 code. It was found as it could be type of PushDo malware.

Malware tries a huge amount of DNS requests, but it was not seen that it could be case of Domain Generation Algorithm DGA.

In some point it also starts to send a particular amount of spam.

Experiment is still running, more computers are going to be infected.