Binary used: Neris.exe
It is a pcap capture with all the traffic (background, normal and botnet)
This pcap file was not made public because it contains too much private information about the users of the network.
This file was captures on the main router of the University network.
Capture with only the botnet traffic. It is made public.
This file was captured on the interface of the virtual machine being infected.
This file has the netflows generated by a unidirectional argus. The labels were assigned as this:
- First put Background to all the flows. - Put LEGITIMATE to the flows that match some filters. - Put Botnet to the flows that come to or from the infected IP addresses
- Infected hosts - Windows XP Name: SARUMAN, IP: 184.108.40.206 (Label: Botnet). Amount of bidirectional flows: 22792 - Windows XP Name: SARUMAN1, IP: 220.127.116.11 (Label: Botnet). Amount of bidirectional flows: 18774 - Windows XP Name: SARUMAN2, IP: 18.104.22.168 (Label: Botnet). Amount of bidirectional flows: 20305 - Windows XP Name: SARUMAN3, IP: 22.214.171.124 (Label: Botnet). Amount of bidirectional flows: 17961 - Windows XP Name: SARUMAN4, IP: 126.96.36.199 (Label: Botnet). Amount of bidirectional flows: 18783 - Windows XP Name: SARUMAN5, IP: 188.8.131.52 (Label: Botnet). Amount of bidirectional flows: 17535 - Windows XP Name: SARUMAN6, IP: 184.108.40.206 (Label: Botnet). Amount of bidirectional flows: 18553 - Windows XP Name: SARUMAN7, IP: 220.127.116.11 (Label: Botnet). Amount of bidirectional flows: 15999 - Windows XP Name: SARUMAN8, IP: 18.104.22.168 (Label: Botnet). Amount of bidirectional flows: 17909 - Windows XP Name: SARUMAN9, IP: 22.214.171.124 (Label: Botnet). Amount of bidirectional flows: 16376 - Normal hosts: - 126.96.36.199 (amount of bidirectional flows: 15806, Label: Normal-V42-Stribrek) - 188.8.131.52 (amount of bidirectional flows: 9419, Label: Normal-V42-Jist) - 184.108.40.206 (amount of bidirectional flows: 4432, Label: Normal-V42-Grill) - 220.127.116.11 (amount of bidirectional flows: 111, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver) - 18.104.22.168 (amount of bidirectional flows: 116, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server) - 22.214.171.124 (amount of bidirectional flows: 6, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)
Please note that the labels of the flows generated by the malware start with "From-Botnet". The labels "To-Botnet" are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels "From-Normal". The labels "To-Normal" are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.
We started the overall pcap capture. We have the bandwith to 100kbps, but only for 126.96.36.199 ip address
We are going to start the VMs one by one, without infecting them while capturing the traffic. These traffic will serve as 'normal' packets. After that we will infect each of the vms but not at the same time. We will try to mimic a real infection.
We started the normal capture. This capture is used to know exactly how the windows computers behave when they are not infected.
We started the VM saruman
We started the VM saruman1
We started the VM saruman2
We started the VM saruman3
We started the VM saruman4
We started the VM saruman5
We started the VM saruman6
We started the VM saruman7
We started the VM saruman8
We started the VM saruman9
At 13:01:03 some strange packets were sent to 3389 port using TCP (RDP protocol). The connection was made from 188.8.131.52 IP address to 184.108.40.206. Our VM answer this. The remote IP (from rusia) tried to connect to the RDP using the user name 'a' (mstshash=a) and we think it was unsuccessful. This was a remote attack to our normal vm. Attack ended at 13:10:34
We have a lot of these attacks, but they are not from our bots. Every incoming SYN packet to our vms on 3389 port is an outside attack.
We stopped the normal capture. We continue with the overall capture.
We started the bot pcap capture. We are going to use the Neris malware. We infected saruman
We disable RDP on saruman8
We disable RDP on saruman6
We disable RDP on saruman7
We disable RDP on saruman5
We disable RDP on saruman4
We disable RDP on saruman3
We disable RDP on saruman1
We disable RDP on saruman
We disable RDP on saruman2
We disable RDP on saruman9
We infected saruman1
We infected saruman2
We infected saruman3
We infected saruman4
We infected saruman5
We infected saruman6
We infected saruman7
We infected saruman8
We infected saruman9
We change the bandwith to 1000kbps for 220.127.116.11
We stopped the traffic bandwith control
We add the 1000kbps bandwith to every IP.
We go to 10000kbps bandwith to every IP.
We go to 100000kbps bandwith to every IP.
We start stopping every vm
We end stopping every vm
We stopped both captures.
These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: firstname.lastname@example.org You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org