Malware Capture Facility CVUT University, Prague, Czech Republic These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia, sebastian.garcia@agents.fel.cvut.cz Vojtech Uhlir file.clf Weblogs ======= The weblogs are files similar to the CLF file but with another format. They were generated with these command : justniffer -f -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) - %response.code %response.size %source.port %request.size http://%request.header.host%request.url - %response.time %dest.ip %source.ip %response.header.content-type - %request.header.referer %request.header.user-agent" | awk '{if ($12 ~ /\;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "($9*1000)" "$10" "$11" "substr($12,1,match($12,/\;/)-1)" "$14" "$15" "substr($0,index($0,$16)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "($9*1000)" "$10" "$11" "$12" - "$14" "$15" "substr($0,index($0,$16))}' |awk '{printf "%s %s %s %s %s %s %s %s %.0f %s %s %s %s %s %s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, substr($0,index($0,$16))}' |grep -v "Mb\|rZl" > $1.weblog # The last grep is to avoid some lines with binary data. Sometimes the botnet uses these port but not for http, so we delete them Netflows ======== The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. We are using bidirectional argus records. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ralabel -f ralabel.conf -r file.argus -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled If you need the netflows without the labels, just regenerate them without the ralabel command. Pcap ==== The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox. Then, the pcap captures can not be merged. Labels ====== Labels were assigned using the ralabel program from the argus suite. The assignment rules are not being published, but can requested by mail. Generic info ------------ Binary used: 8219s.exe MD5: c8c9b3d2247943049d895f2a111d8379 Probable Name: ZeuS Virustotal link: Infected Machines: Windows Name: Win12, IP: 10.0.2.26 (Label: Botnet-V1) Windows Name: Win13, IP: 10.0.2.27 (Label: Botnet-V2) Windows Name: Win14, IP: 10.0.2.28 (Label: Botnet-V3) Histogram of labels =================== For Win12 -------- 7994 Background-ARP 20101 From-Botnet-V1-UDP-Establishedd 169603 Background 355736 From-Botnet-V1-TCP-Established 713670 From-Botnet-V1-SPAM 945167 From-Botnet-V1-UDP-Attempt 1059638 From-Botnet-V1-DNS 2734526 From-Botnet-V1-TCP-Attempt For Win13 -------- 20826 Background-ARP 38548 From-Botnet-V2-UDP-Establishedd 314928 Background 596683 From-Botnet-V2-TCP-Established 1462665 From-Botnet-V2-UDP-Attempt 1499248 From-Botnet-V2-SPAM 2158620 From-Botnet-V2-DNS 6053197 From-Botnet-V2-TCP-Attempt For Win14 -------- 1 19105 Background-ARP 31020 From-Botnet-V3-UDP-Establishedd 192845 Background 335078 From-Botnet-V3-UDP-Attempt 408641 From-Botnet-V3-TCP-Established 1347051 From-Botnet-V3-SPAM 1890639 From-Botnet-V3-DNS 5959628 From-Botnet-V3-TCP-Attempt Timeline ======== Wed Jul 17 14:03:28 CEST 2013 Infect Win12 Wed Jul 17 14:05:29 CEST 2013 Infect Win13 Wed Jul 17 14:07:22 CEST 2013 Infect Win14 Fri Jul 19 12:01:15 CEST 2013 I just saw that the malware is sending spam. Traffic Analysis ================ The malware used google.cz. Maybe to check if there is internet? It used some strange domain names, but they were all sinkholed (sinhole.fitsec.com) This mean that the botnet was taken down in the past. Is it still working?. X-Sinkhole: malware-sinkhole Some example URLs: POST /?ptrxcz_axJf1Nj6RoAWsEaxIe1Ni5RoAVsEaw (PushDo?) GET /Sm7mB.exe POST /?ptrxcz_oAWtEaxJf1Nj6RoAWtEaxJe1Nj6RoA HTTP/1.1 Accept: */* Accept-Language: en-us Content-Type: application/octet-stream Content-Length: 199 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: todito.com Connection: Keep-Alive Cache-Control: no-cache 8gQ6ws3qni3JR6diUYP6ZJXdhwotlWfQUZDIriEDqWBwNXtu8Kq/YfrkHevf76LiWPwLixaD9ZTfCZtW+1/ryVAfAalMeYcWKj1B09/wEUfhTGp9Dvv0TS/s87L0WwoowJZZqnCz0yduLbbL5E5CrUkpURaP/xHlIIhoNx6JHdPNXE68F0U/ There is more info GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: ovxswpduosooozuwumeacqzxmz.info The CC is maybe webbased GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: hmraeqijkjzluxpxrclfyeqs.info Connection: Close HTTP/1.1 200 OK Server: nginx/1.2.4 Date: Wed, 17 Jul 2013 12:23:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c58d844a208a33691efa73a80c0822da|147.32.83.216|1374063790|1374063790|0|1|0 Set-Cookie: snkz=147.32.83.216 This domain seems to be the only one receiving information. Flows: Last flow analyzed: with this command: ra -F 2013-08-12_ra.conf -r 2013-08-20_capture-win12.biargus -Z b -n |less -S I was analyzing near this connection TCP 217.197.136.190 4060 We should generate the dns.names files for the last TWO pacap files CC to strange domains 193.166.255.171 80 166.78.144.80 80 96.43.141.186 80 166.78.144.80 80 195.22.26.231 80 173.246.102.202 80 CC? P2P? 85.72.58.86 27324 UDP 194.36.163.54 9227 UDP 194.36.163.54 8280 UDP 107.217.117.139 8593 UDP 217.197.136.190 7600 UDP 112.135.16.221 24778 UDP 176.41.140.102 6044 UDP 99.72.61.142 18994 UDP These hosts received both UDP and TCP connections: UDP 99.72.61.142 18994 TCP 99.72.61.142 13948 UDP 217.197.136.190 7600 TCP 217.197.136.190 4060