Name | Last modified | Size | Description | |
---|---|---|---|---|
Parent Directory | - | |||
README.html | 2023-01-21 11:41 | 12K | ||
README.md | 2023-01-21 11:41 | 11K | ||
botnet-capture-20110815-rbot-dos-icmp-more-bandwith.pcap | 2011-08-15 14:33 | 4.8G | ||
botnet-capture-20110815-rbot-dos-icmp.pcap | 2011-08-15 14:24 | 29M | ||
botnet-capture-20110815-rbot-dos.pcap | 2011-08-15 14:23 | 212M | ||
bro/ | 2017-04-15 11:20 | - | ||
capture20110815.binetflow.2format | 2017-05-08 20:30 | 264M | ||
capture20110815.pcap.netflow.labeled | 2011-12-07 22:05 | 402M | ||
capture20110815.truncated.pcap.bz2 | 2015-07-20 11:21 | 935M | ||
detailed-bidirectional-flow-labels/ | 2015-05-14 11:54 | - | ||
ralabel-flowfilter.conf.generic | 2014-07-18 10:10 | 79K | ||
rbot.exe.zip | 2015-12-16 10:28 | 106K | ||
Probable Name: Rbot
MD5: 2467b3c8b259cecd6ce2d5c31009df10
SHA1: 915934b43d63dc4040af3ea1ee6c80913288ff3b
SHA256: dcf50510efec16ff10c5aed91c8e386aba114e63842caa16ea40cac776c60816
Password of zip file: infected
Duration: 4 hours, 29 minutes and 0 seconds
RobotHash
capture20110815.pcap
It is a pcap capture with all the traffic (background, normal and botnet)
This pcap file was not made public because it contains too much private information about the users of the network.
This file was captures on the main router of the University network.
botnet-capture-20110815-rbot-dos.pcap
Capture with only the botnet traffic. It is made public.
This file was captured on the interface of the virtual machine being infected.
capture20110815.pcap.netflow.labeled
This file has the netflows generated by a unidirectional argus. The labels were assigned as this:
- First put Background to all the flows.
- Put LEGITIMATE to the flows that match some filters.
- Put Botnet to the flows that come to or from the infected IP addresses
bro
detailed-bidirectional-flow-labels
*.html
*.json
*truncated.pcap.bz2
- Infected hosts
- 147.32.84.165: Windows XP (English version) Name: SARUMAN (Label: Botnet) (amount of infected flows: 5160)
- Normal hosts:
- 147.32.84.170 (amount of bidirectional flows: 12133, Label: Normal-V42-Stribrek)
- 147.32.84.134 (amount of bidirectional flows: 10382, Label: Normal-V42-Jist)
- 147.32.84.164 (amount of bidirectional flows: 2474, Label: Normal-V42-Grill)
- 147.32.87.36 (amount of bidirectional flows: 89, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
- 147.32.80.9 (amount of bidirectional flows: 13, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
- 147.32.87.11 (amount of bidirectional flows: 4, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)
Please note that the labels of the flows generated by the malware start with “From-Botnet”. The labels “To-Botnet” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels “From-Normal”. The labels “To-Normal” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.
WARNING! We control this bot, because we recompiled the code.
We are going to try to DoS some machine. We now started the overall capture. We used rbot.exe
We started the bot and the bot capture.
We are going to DoS the address 147.32.96.69 with UDP packets to port 161
We are setting the bandwith to 40kBps
Attack was done, but we are not sure if it was successful because of the bandwith limit.
We stopped the dos capture, we stopped the malware. We did not stopped the overall department capture.
We DOS with UDP some IPs.
These are the IRC commands:
NICK Pepe024268
USER ghnnza 0 0 :Pepe024268
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.login zarasa48
PRIVMSG #zarasa48 :.::[MaInFrAmE]::. Password Accettata, Welcome to x0n3-Satan.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.netinfo
PRIVMSG #zarasa48 :Connection: [Type]: LAN (LAN Connection). [IP Address]: 147.32.84.165. [Hostname]: 147.32.84.165.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.synflood 147.32.96.69 22 3600
PRIVMSG #zarasa48 :[SYN]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[SYN]: Flooding: (147.32.96.69:22) for 3600 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.synflood 147.32.96.69 22 3600
PRIVMSG #zarasa48 :[SYN]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[SYN]: Flooding: (147.32.96.69:22) for 3600 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood ack 147.32.96.69 22 3600
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Normal ack flooding: (147.32.96.69:22) for 3600 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.udpflood 147.32.96.69 100000 1500 10 161
PRIVMSG #zarasa48 :[UDP]: Sending 100000 packets to: 147.32.96.69. Packet size: 1500, Delay: 10(ms).
We infected the VM again, but this time we are going to attack with ICMP packets. We are going to start a new Dos capture, but we are going to keep the same overall deparment capture. We infected again with rbot.exe
Bandwith will be at 100kBps
We are going to DoS this address:147.32.96.69
The attacked ended, but we keep capturing packets in both pcap files.
The attack was sucessful because we could not access the target anymore from other computers outside the university.
We stopped the bot and the bots capture. Pcap file is botnet-capture-20110815-rbot-dos-icmp.pcap
Analysis:
We did some ICMP DoS attack agains one IP.
These are the IRC commands:
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.login zarasa48
PRIVMSG #zarasa48 :.::[MaInFrAmE]::. Password Accettata, Welcome to x0n3-Satan.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.netinfo
PRIVMSG #zarasa48 :Connection: [Type]: LAN (LAN Connection). [IP Address]: 147.32.84.165. [Hostname]: 147.32.84.165.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.ddos.syn 147.32.96.69 1 1800
PRIVMSG #zarasa48 :[DDoS]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[DDoS]: Flooding: (147.32.96.69:1) for 1800 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.ddos.syn 147.32.96.69 1
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.ddos.syn 147.32.96.69 1 60
PRIVMSG #zarasa48 :[DDoS]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[DDoS]: Flooding: (147.32.96.69:1) for 60 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood syn 147.32.96.69 1 1000
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Normal syn flooding: (147.32.96.69:1) for 1000 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood syn 147.32.96.69 1 100
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Normal syn flooding: (147.32.96.69:1) for 100 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood syn 147.32.96.69 22 100
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Normal syn flooding: (147.32.96.69:22) for 100 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.dos.random 147.32.96.69 22 1000
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.ddos.random 147.32.96.69 22 1000
PRIVMSG #zarasa48 :[DDoS]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[DDoS]: Flooding: (147.32.96.69:22) for 1000 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood ack 147.32.96.69 337 120 -r
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Spoofed ack flooding: (147.32.96.69:337) for 120 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.icmpflood 147.32.96.69 1800
PRIVMSG #zarasa48 :[ICMP]: Flooding: (147.32.96.69) for 1800 seconds.
We started a new bot capture to attack again using icmp but with 300kbps bandwith.
We stoped and started the VM and infected again with rbot.exe
We are going to DoS this address with icmp:147.32.96.69
We started the attack.
The attack ended.
The attack was sucessful because we could not access the target anymore from other computers outside the university.
We stopped the botnet capture.
Pcap bot file is: botnet-capture-20110815-rbot-dos-icmp-more-bandwith.pcap
Globlal capture was stopped for everything.
Analysis:
We did an ICMP DoS attack agains one IP.
These are the IRC commands:
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.login zarasa48
PRIVMSG #zarasa48 :.::[MaInFrAmE]::. Password Accettata, Welcome to x0n3-Satan.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.netinfo
PRIVMSG #zarasa48 :Connection: [Type]: LAN (LAN Connection). [IP Address]: 147.32.84.165. [Hostname]: 147.32.84.165.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.icmpflood 147.32.96.69 1800
PRIVMSG #zarasa48 :[ICMP]: Flooding: (147.32.96.69) for 1800 seconds.
These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org