Index of /publicDatasets/CTU-Malware-Capture-Botnet-48

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]botnet-capture-20110816-sogou.pcap2011-08-16 14:17 18M 
[   ]capture20110816-2.pcap.netflow.labeled2011-12-07 22:17 43M 
[   ]ralabel-flowfilter.conf.generic2014-07-18 10:11 79K 
[DIR]detailed-bidirectional-flow-labels/2015-05-14 11:55 -  
[TXT]botnet-capture-20110816-sogou.html2015-05-14 12:09 6.1M 
[   ]botnet-capture-20110816-sogou.json2015-05-14 12:09 12M 
[   ]capture20110816-2.truncated.pcap.bz22015-07-20 15:10 106M 
[   ]sogou_explorer_silent_1.4.0.418_2136.exe.zip2015-12-16 10:28 4.0M 
[DIR]bro/2017-04-17 12:46 -  
[   ]capture20110816-2.binetflow.2format2017-05-08 20:36 27M 
[TXT]README.md2023-01-21 11:45 5.2K 
[TXT]README.html2023-01-21 11:45 5.9K 

CTU-Malware-Capture-Botnet-48 or Scenario 7 in the CTU-13 dataset.

Description

Files

IP Addresses

- Infected hosts
    - 147.32.84.165: Windows XP English version Name: SARUMAN. Label: Botnet. Amount of bidirectional flows: 126
- Normal hosts:
    - 147.32.84.170 (amount of bidirectional flows: 1614, Label: Normal-V42-Stribrek)
    - 147.32.84.134 (amount of bidirectional flows: 584, Label: Normal-V42-Jist)
    - 147.32.84.164 (amount of bidirectional flows: 1040, Label: Normal-V42-Grill)
    - 147.32.87.36 (amount of bidirectional flows: 98, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
    - 147.32.80.9 (amount of bidirectional flows: 2, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)

Important Label note

Please note that the labels of the flows generated by the malware start with “From-Botnet”. The labels “To-Botnet” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels “From-Normal”. The labels “To-Normal” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.

Timeline

Wed Aug 10 15:58:00 CEST 2011

Today we capture the neris bot along with the packets of the whole CTU department. We used an XP virtualbox machine with the 147.32.84.165 public ip address. The first hour of capture was only background and latter we run the malware until 5 minutes before ending. We limited the bandwith of the experiment to 20kbps in the output of the bot.

Traffic Analysis

The bot sent spam, connected to IRC, and use HTTP to do some ClickFraud.

The first netflow record of the bot is:
2011-08-10 06:04:24.863 0.000   UDP     147.32.84.165:1025      ->      147.32.80.9:53          INT     0       1       64      1       Botnet


Tue Aug 16 13:51:25 CEST 2011
We started the overall capture.

Bandwith is 100kBps.

"Windows XP English Version" -> 147.32.84.165 (SARUMAN)

Bot binary:
sogou_explorer_silent_1.4.0.418_2136.exe


bot capture file is:
botnet-capture-20110816-sogou.pcap

Overall capture file is:
capture20110816-2.pcap


Tue Aug 16 13:52:53 CEST 2011
We started the VM.


Tue Aug 16 13:56:07 CEST 2011
We started the capture and the bot.


Tue Aug 16 14:12:17 CEST 2011
We stopped the malware and both pcaps.

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org