Index of /publicDatasets/CTU-Malware-Capture-Botnet-50

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]Neris.exe.zip2015-12-16 10:28 46K 
[TXT]README.html2017-05-21 18:39 11K 
[TXT]README.md2017-05-21 18:39 8.6K 
[TXT]botnet-capture-20110817-bot.html2015-05-14 12:40 147M 
[   ]botnet-capture-20110817-bot.json2015-05-14 12:40 249M 
[   ]botnet-capture-20110817-bot.pcap2011-08-17 17:14 1.0G 
[DIR]bro/2017-04-17 12:50 -  
[   ]capture20110817.binetflow.2format2017-05-08 20:38 491M 
[   ]capture20110817.pcap.netflow.labeled2014-06-16 09:38 768M 
[   ]capture20110817.truncated.pcap.bz22015-07-21 06:41 1.7G 
[DIR]detailed-bidirectional-flow-labels/2015-05-14 11:55 -  
[   ]normal-capture-20110817.pcap2016-02-28 12:21 2.5M 

CTU-Malware-Capture-Botnet-50 or Scenario 9 in the CTU-13 dataset.

Description

Files

IP Addresses

- Infected hosts
    - Windows XP Name: SARUMAN,  IP: 147.32.84.165 (Label: Botnet). Amount of bidirectional flows: 22792
    - Windows XP Name: SARUMAN1, IP: 147.32.84.191 (Label: Botnet). Amount of bidirectional flows: 18774
    - Windows XP Name: SARUMAN2, IP: 147.32.84.192 (Label: Botnet). Amount of bidirectional flows: 20305
    - Windows XP Name: SARUMAN3, IP: 147.32.84.193 (Label: Botnet). Amount of bidirectional flows: 17961
    - Windows XP Name: SARUMAN4, IP: 147.32.84.204 (Label: Botnet). Amount of bidirectional flows: 18783
    - Windows XP Name: SARUMAN5, IP: 147.32.84.205 (Label: Botnet). Amount of bidirectional flows: 17535
    - Windows XP Name: SARUMAN6, IP: 147.32.84.206 (Label: Botnet). Amount of bidirectional flows: 18553
    - Windows XP Name: SARUMAN7, IP: 147.32.84.207 (Label: Botnet). Amount of bidirectional flows: 15999
    - Windows XP Name: SARUMAN8, IP: 147.32.84.208 (Label: Botnet). Amount of bidirectional flows: 17909
    - Windows XP Name: SARUMAN9, IP: 147.32.84.209 (Label: Botnet). Amount of bidirectional flows: 16376

- Normal hosts:
    - 147.32.84.170 (amount of bidirectional flows: 15806, Label: Normal-V42-Stribrek)
    - 147.32.84.134 (amount of bidirectional flows: 9419, Label: Normal-V42-Jist)
    - 147.32.84.164 (amount of bidirectional flows: 4432, Label: Normal-V42-Grill)
    - 147.32.87.36 (amount of bidirectional flows: 111, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
    - 147.32.80.9 (amount of bidirectional flows: 116, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
    - 147.32.87.11 (amount of bidirectional flows: 6, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)

Important Label note

Please note that the labels of the flows generated by the malware start with "From-Botnet". The labels "To-Botnet" are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels "From-Normal". The labels "To-Normal" are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.

Timeline

Wed Aug 17 12:01:01 CEST 2011

We started the overall pcap capture. We have the bandwith to 100kbps, but only for 147.32.84.165 ip address

We are going to start the VMs one by one, without infecting them while capturing the traffic. These traffic will serve as 'normal' packets. After that we will infect each of the vms but not at the same time. We will try to mimic a real infection.

Wed Aug 17 12:27:44 CEST 2011

We started the normal capture. This capture is used to know exactly how the windows computers behave when they are not infected.

Wed Aug 17 12:27:48 CEST 2011

We started the VM saruman

Wed Aug 17 12:29:34 CEST 2011

We started the VM saruman1

Wed Aug 17 12:30:53 CEST 2011

We started the VM saruman2

Wed Aug 17 12:32:18 CEST 2011

We started the VM saruman3

Wed Aug 17 12:33:44 CEST 2011

We started the VM saruman4

Wed Aug 17 12:35:07 CEST 2011

We started the VM saruman5

Wed Aug 17 12:37:45 CEST 2011

We started the VM saruman6

Wed Aug 17 12:39:17 CEST 2011

We started the VM saruman7

Wed Aug 17 12:40:39 CEST 2011

We started the VM saruman8

Wed Aug 17 12:42:08 CEST 2011

We started the VM saruman9

At 13:01:03 some strange packets were sent to 3389 port using TCP (RDP protocol). The connection was made from 82.162.140.147 IP address to 147.32.84.192. Our VM answer this. The remote IP (from rusia) tried to connect to the RDP using the user name 'a' (mstshash=a) and we think it was unsuccessful. This was a remote attack to our normal vm. Attack ended at 13:10:34

We have a lot of these attacks, but they are not from our bots. Every incoming SYN packet to our vms on 3389 port is an outside attack.

Wed Aug 17 14:19:20 CEST 2011

We stopped the normal capture. We continue with the overall capture.

Wed Aug 17 14:24:08 CEST 2011

We started the bot pcap capture. We are going to use the Neris malware. We infected saruman

RDP disabling:

Wed Aug 17 14:31:56 CEST 2011

We disable RDP on saruman8

Wed Aug 17 14:32:28 CEST 2011

We disable RDP on saruman6

Wed Aug 17 14:37:35 CEST 2011

We disable RDP on saruman7

Wed Aug 17 14:38:20 CEST 2011

We disable RDP on saruman5

Wed Aug 17 14:38:57 CEST 2011

We disable RDP on saruman4

Wed Aug 17 14:39:30 CEST 2011

We disable RDP on saruman3

Wed Aug 17 14:40:15 CEST 2011

We disable RDP on saruman1

Wed Aug 17 14:40:47 CEST 2011

We disable RDP on saruman

Wed Aug 17 14:41:30 CEST 2011

We disable RDP on saruman2

Wed Aug 17 14:42:05 CEST 2011

We disable RDP on saruman9

Wed Aug 17 14:43:20 CEST 2011

We infected saruman1

Wed Aug 17 14:48:20 CEST 2011

We infected saruman2

Wed Aug 17 14:54:45 CEST 2011

We infected saruman3

Wed Aug 17 14:56:07 CEST 2011

We infected saruman4

Wed Aug 17 14:57:58 CEST 2011

We infected saruman5

Wed Aug 17 15:00:42 CEST 2011

We infected saruman6

Wed Aug 17 15:01:56 CEST 2011

We infected saruman7

Wed Aug 17 15:03:13 CEST 2011

We infected saruman8

Wed Aug 17 15:04:54 CEST 2011

We infected saruman9

Wed Aug 17 16:01:00 CEST 2011

We change the bandwith to 1000kbps for 147.32.84.165

Wed Aug 17 16:26:08 CEST 2011

We stopped the traffic bandwith control

Wed Aug 17 16:37:50 CEST 2011

We add the 1000kbps bandwith to every IP.

Wed Aug 17 16:43:48 CEST 2011

We go to 10000kbps bandwith to every IP.

Wed Aug 17 16:55:44 CEST 2011

We go to 100000kbps bandwith to every IP.

Wed Aug 17 17:06:37 CEST 2011

We start stopping every vm

Wed Aug 17 17:10:28 CEST 2011

We end stopping every vm

Wed Aug 17 17:12:10 CEST 2011

We stopped both captures.

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org