Index of /publicDatasets/CTU-Malware-Capture-Botnet-45

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[DIR]bro/2017-04-15 11:20 -  
[DIR]detailed-bidirectional-flow-labels/2015-05-14 11:54 -  
[TXT]README.md2023-01-21 11:41 11K 
[TXT]README.html2023-01-21 11:41 12K 
[   ]ralabel-flowfilter.conf.generic2014-07-18 10:10 79K 
[   ]rbot.exe.zip2015-12-16 10:28 106K 
[   ]botnet-capture-20110815-rbot-dos-icmp.pcap2011-08-15 14:24 29M 
[   ]botnet-capture-20110815-rbot-dos.pcap2011-08-15 14:23 212M 
[   ]capture20110815.binetflow.2format2017-05-08 20:30 264M 
[   ]capture20110815.pcap.netflow.labeled2011-12-07 22:05 402M 
[   ]capture20110815.truncated.pcap.bz22015-07-20 11:21 935M 
[   ]botnet-capture-20110815-rbot-dos-icmp-more-bandwith.pcap2011-08-15 14:33 4.8G 

CTU-Malware-Capture-Botnet-45 or Scenario 4 in the CTU-13 dataset.

Description

Files

IP Addresses

- Infected hosts
    - 147.32.84.165: Windows XP (English version) Name: SARUMAN (Label: Botnet) (amount of infected flows: 5160)
- Normal hosts:
    - 147.32.84.170 (amount of bidirectional flows: 12133, Label: Normal-V42-Stribrek)
    - 147.32.84.134 (amount of bidirectional flows: 10382, Label: Normal-V42-Jist)
    - 147.32.84.164 (amount of bidirectional flows: 2474, Label: Normal-V42-Grill)
    - 147.32.87.36 (amount of bidirectional flows: 89, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
    - 147.32.80.9 (amount of bidirectional flows: 13, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
    - 147.32.87.11 (amount of bidirectional flows: 4, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)

Important Label note

Please note that the labels of the flows generated by the malware start with “From-Botnet”. The labels “To-Botnet” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels “From-Normal”. The labels “To-Normal” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.

Timeline

WARNING! We control this bot, because we recompiled the code.

Mon Aug 15 10:59:23 CEST 2011

We are going to try to DoS some machine. We now started the overall capture. We used rbot.exe

Mon Aug 15 12:21:33 CEST 2011

We started the bot and the bot capture.

We are going to DoS the address 147.32.96.69 with UDP packets to port 161

We are setting the bandwith to 40kBps

Attack was done, but we are not sure if it was successful because of the bandwith limit.

Mon Aug 15 13:06:40 CEST 2011

We stopped the dos capture, we stopped the malware. We did not stopped the overall department capture.

Traffic Analysis

We DOS with UDP some IPs.

These are the IRC commands:
NICK Pepe024268
USER ghnnza 0 0 :Pepe024268
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.login zarasa48
PRIVMSG #zarasa48 :.::[MaInFrAmE]::. Password Accettata, Welcome to x0n3-Satan.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.netinfo
PRIVMSG #zarasa48 :Connection: [Type]: LAN (LAN Connection). [IP Address]: 147.32.84.165. [Hostname]: 147.32.84.165.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.synflood 147.32.96.69 22 3600
PRIVMSG #zarasa48 :[SYN]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[SYN]: Flooding: (147.32.96.69:22) for 3600 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.synflood 147.32.96.69 22 3600
PRIVMSG #zarasa48 :[SYN]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[SYN]: Flooding: (147.32.96.69:22) for 3600 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood ack 147.32.96.69 22 3600
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Normal ack flooding: (147.32.96.69:22) for 3600 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.udpflood 147.32.96.69 100000 1500 10 161
PRIVMSG #zarasa48 :[UDP]: Sending 100000 packets to: 147.32.96.69. Packet size: 1500, Delay: 10(ms).

Mon Aug 15 13:25:40 CEST 2011

We infected the VM again, but this time we are going to attack with ICMP packets. We are going to start a new Dos capture, but we are going to keep the same overall deparment capture. We infected again with rbot.exe
Bandwith will be at 100kBps

We are going to DoS this address:147.32.96.69

Mon Aug 15 13:40:00 CEST 2011

The attacked ended, but we keep capturing packets in both pcap files.
The attack was sucessful because we could not access the target anymore from other computers outside the university.

Mon Aug 15 13:46:43 CEST 2011

We stopped the bot and the bots capture. Pcap file is botnet-capture-20110815-rbot-dos-icmp.pcap


Analysis:
We did some ICMP DoS attack agains one IP.

These are the IRC commands:
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.login zarasa48
PRIVMSG #zarasa48 :.::[MaInFrAmE]::. Password Accettata, Welcome to x0n3-Satan.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.netinfo
PRIVMSG #zarasa48 :Connection: [Type]: LAN (LAN Connection). [IP Address]: 147.32.84.165. [Hostname]: 147.32.84.165.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.ddos.syn 147.32.96.69 1 1800
PRIVMSG #zarasa48 :[DDoS]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[DDoS]: Flooding: (147.32.96.69:1) for 1800 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.ddos.syn 147.32.96.69 1
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.ddos.syn 147.32.96.69 1 60
PRIVMSG #zarasa48 :[DDoS]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[DDoS]: Flooding: (147.32.96.69:1) for 60 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood syn 147.32.96.69 1 1000
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Normal syn flooding: (147.32.96.69:1) for 1000 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood syn 147.32.96.69 1 100
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Normal syn flooding: (147.32.96.69:1) for 100 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood syn 147.32.96.69 22 100
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Normal syn flooding: (147.32.96.69:22) for 100 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.dos.random 147.32.96.69 22 1000
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.ddos.random 147.32.96.69 22 1000
PRIVMSG #zarasa48 :[DDoS]: Done with flood (0KB/sec).
PRIVMSG #zarasa48 :[DDoS]: Flooding: (147.32.96.69:22) for 1000 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.tcpflood ack 147.32.96.69 337 120 -r
PRIVMSG #zarasa48 :[TCP]: Error sending packets to IP: 147.32.96.69. Packets sent: 0. Returned: <0>.
PRIVMSG #zarasa48 :[TCP]: Spoofed ack flooding: (147.32.96.69:337) for 120 seconds.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.icmpflood 147.32.96.69 1800
PRIVMSG #zarasa48 :[ICMP]: Flooding: (147.32.96.69) for 1800 seconds.

Mon Aug 15 13:47:00 CEST 2011

We started a new bot capture to attack again using icmp but with 300kbps bandwith.
We stoped and started the VM and infected again with rbot.exe

We are going to DoS this address with icmp:147.32.96.69

Mon Aug 15 13:50:51 CEST 2011

We started the attack.

Mon Aug 15 13:58:35 CEST 2011

The attack ended.
The attack was sucessful because we could not access the target anymore from other computers outside the university.

Mon Aug 15 14:06:29 CEST 2011

We stopped the botnet capture.

Pcap bot file is: botnet-capture-20110815-rbot-dos-icmp-more-bandwith.pcap

Mon Aug 15 15:11:46 CEST 2011

Globlal capture was stopped for everything.

Analysis:
We did an ICMP DoS attack agains one IP.
These are the IRC commands:
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.login zarasa48
PRIVMSG #zarasa48 :.::[MaInFrAmE]::. Password Accettata, Welcome to x0n3-Satan.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.netinfo
PRIVMSG #zarasa48 :Connection: [Type]: LAN (LAN Connection). [IP Address]: 147.32.84.165. [Hostname]: 147.32.84.165.
:pepe|2!~kvirc@cmpgw-27.felk.cvut.cz PRIVMSG #zarasa48 :.icmpflood 147.32.96.69 1800
PRIVMSG #zarasa48 :[ICMP]: Flooding: (147.32.96.69) for 1800 seconds.

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org