CTU-Malware-Capture-Botnet-44 or Scenario 3 in the CTU-13 dataset.

Description

• Probable Name: Rbot

• MD5: 2467b3c8b259cecd6ce2d5c31009df10

• SHA1: 915934b43d63dc4040af3ea1ee6c80913288ff3b

• SHA256: dcf50510efec16ff10c5aed91c8e386aba114e63842caa16ea40cac776c60816

• Password of zip file: infected

• Duration: 2 days, 18 hours, 49 minutes and 0 seconds

• VirusTotal

• HybridAnalysis

• RobotHash

Files

• capture20110812.pcap

  It is a pcap capture with all the traffic (background, normal and botnet)

  This pcap file was not made public because it contains too much private information about the users of the network.

  This file was captures on the main router of the University network.

• botnet-capture-20110812-rbot.pcap

  Capture with only the botnet traffic. It is made public.

  This file was captured on the interface of the virtual machine being infected.

• capture20110812.pcap.netflow.labeled

  This file has the netflows generated by a unidirectional argus. The labels were assigned as this:

    - First put Background to all the flows.
    - Put LEGITIMATE to the flows that match some filters.
    - Put Botnet to the flows that come to or from the infected IP addresses

• bro

  • Folder with all the bro output files

• detailed-bidirectional-flow-labels

  • Folder with the bidirectional flows. These are the files you should use for your research. They have better labels and better quality of data.

• *.html

  • This is an html graphical page made with CapTipper of the HTTP requests in the capture.

• *.json

  • File needed by Captipper for the html page.

• *truncated.pcap.bz2

  • This is a truncated pcap file of the complete capture. The pcap is truncated to have only the following starting bytes for each packet:
    • TCP: 54 bytes
    • UDP: 42 bytes
    • ICMP: 66 bytes
  • See this description of the truncation.

IP Addresses

- Infected hosts
    - 147.32.84.165: Windows XP (English version) Name: SARUMAN (Label: Botnet) (amount of infected flows: 53518)
- Normal hosts:
    - 147.32.84.170 (amount of bidirectional flows: 217614, Label: Normal-V42-Stribrek)
    - 147.32.84.134 (amount of bidirectional flows: 1934, Label: Normal-V42-Jist)
    - 147.32.84.164 (amount of bidirectional flows: 9160, Label: Normal-V42-Grill)
    - 147.32.87.36 (amount of bidirectional flows: 3686, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
    - 147.32.80.9 (amount of bidirectional flows: 28, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
    - 147.32.87.11 (amount of bidirectional flows: 184, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)

Important Label note

Please note that the labels of the flows generated by the malware start with “From-Botnet”. The labels “To-Botnet” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels “From-Normal”. The labels “To-Normal” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.

Timeline

Fri Aug 12 14:12:11 CEST 2011

We are going to infect the vm with rbot.exe, a bot we can control with IRC.

The bandwith was limited to 2kbps.

When we download something, it is downloading at 1000 KB/s. Not sure how this happens.

Fri Aug 12 15:00:37 CEST 2011

We infect the computer and leave capturing only the packets.

We used the IRC channel to retrive some information about the bot and then command it to scan some ports in some networks.

Mon Aug 15 09:55:11 CEST 2011

I stop the bot.

Mon Aug 15 10:14:55 CEST 2011

We stop the botnet capture

Traffic Analysis

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org