Index of /publicDatasets/CTU-Malware-Capture-Botnet-51

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[TXT]README.html2017-05-21 18:39 17K 
[TXT]README.md2017-05-21 18:36 12K 
[TXT]botnet-capture-20110818-bot.html2015-05-14 12:34 357K 
[   ]botnet-capture-20110818-bot.json2015-05-14 12:34 7.0K 
[   ]botnet-capture-20110818-bot.pcap2011-08-18 15:37 66G 
[DIR]bro/2017-04-17 12:52 -  
[   ]capture20110818.binetflow.2format2017-05-08 20:39 308M 
[   ]capture20110818.pcap.netflow.labeled2016-08-02 08:42 489M 
[   ]capture20110818.truncated.pcap.bz22015-07-21 10:22 596M 
[DIR]detailed-bidirectional-flow-labels/2016-08-02 09:11 -  
[   ]rbot.exe.zip2015-12-16 10:28 106K 

CTU-Malware-Capture-Botnet-51 or Scenario 10 in the CTU-13 dataset.

Description

Files

IP Addresses

- Infected hosts
    - 147.32.84.165: Windows XP English version Name: SARUMAN. Label: Botnet. Amount of bidirectional flows: 9579
    - 147.32.84.191: Windows XP English version Name: SARUMAN1. Label: Botnet. Amount of bidirectional flows: 10454
    - 147.32.84.192: Windows XP English version Name: SARUMAN2. Label: Botnet. Amount of bidirectional flows: 10397
    - 147.32.84.193: Windows XP English version Name: SARUMAN3. Label: Botnet. Amount of bidirectional flows: 10009
    - 147.32.84.204: Windows XP English version Name: SARUMAN4. Label: Botnet. Amount of bidirectional flows: 11159
    - 147.32.84.205: Windows XP English version Name: SARUMAN5. Label: Botnet. Amount of bidirectional flows: 11874
    - 147.32.84.206: Windows XP English version Name: SARUMAN6. Label: Botnet. Amount of bidirectional flows: 11287
    - 147.32.84.207: Windows XP English version Name: SARUMAN7. Label: Botnet. Amount of bidirectional flows: 10581
    - 147.32.84.208: Windows XP English version Name: SARUMAN8. Label: Botnet. Amount of bidirectional flows: 11118
    - 147.32.84.209: Windows XP English version Name: SARUMAN9. Label: Botnet. Amount of bidirectional flows: 9894
- Normal hosts:
    - 147.32.84.170 (amount of bidirectional flows: 10216, Label: Normal-V42-Stribrek)
    - 147.32.84.134 (amount of bidirectional flows: 1091, Label: Normal-V42-Jist)
    - 147.32.84.164 (amount of bidirectional flows: 3728, Label: Normal-V42-Grill)
    - 147.32.87.36 (amount of bidirectional flows: 99, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
    - 147.32.80.9 (amount of bidirectional flows: 651, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
    - 147.32.87.11 (amount of bidirectional flows: 4, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)

Important Label note

Please note that the labels of the flows generated by the malware start with "From-Botnet". The labels "To-Botnet" are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels "From-Normal". The labels "To-Normal" are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.

Timeline

Thu Aug 18 10:19:02 CEST 2011

We started the overall capture. Bandwidth is limited to 10000kbps on every vm.

Thu Aug 18 10:46:34 CEST 2011

We started the bot capture.

Starting vms

Thu Aug 18 10:46:53 CEST 2011

We started saruman

Thu Aug 18 10:47:55 CEST 2011

We started saruman1

Thu Aug 18 10:54:20 CEST 2011

We started saruman2

Thu Aug 18 10:55:18 CEST 2011

We started saruman3

Thu Aug 18 10:56:13 CEST 2011

We started saruman4

Thu Aug 18 10:57:10 CEST 2011

We started saruman5

Thu Aug 18 10:58:49 CEST 2011

We started saruman6

Thu Aug 18 10:59:39 CEST 2011

We started saruman7

Thu Aug 18 11:00:10 CEST 2011

We started saruman8

Thu Aug 18 11:00:20 CEST 2011

We started saruman9

Thu Aug 18 11:00:43 CEST 2011

I connected to the C&C irc channel from my non-public IP.

INFECTION

Thu Aug 18 11:03:05 CEST 2011

We infected saruman9

Thu Aug 18 11:03:52 CEST 2011

We infected saruman8

Thu Aug 18 11:04:20 CEST 2011

We infected saruman7

Thu Aug 18 11:04:46 CEST 2011

We infected saruman6

Thu Aug 18 11:05:13 CEST 2011

We infected saruman4

Thu Aug 18 11:05:41 CEST 2011

We infected saruman2

Thu Aug 18 11:06:10 CEST 2011

We infected saruman

Thu Aug 18 11:06:32 CEST 2011

We infected saruman1

Thu Aug 18 11:06:52 CEST 2011

We infected saruman3

Thu Aug 18 11:07:15 CEST 2011

We infected saruman5

Thu Aug 18 11:07:35 CEST 2011

We login and get some info. .login zarasa48 .sysinfo .netinfo

Thu Aug 18 11:52:54 CEST 2011

We started the UDP attack agains 147.32.96.69 .udpflood 147.32.96.69 100000 1500 10 161

Thu Aug 18 12:07:30 CEST 2011

We stopped the udp flood. Because we were getting too much fragmented packets. .udpstop

Thu Aug 18 12:08:43 CEST 2011

We started the UDP flood again using only 1000 bytes per packet. .udpflood 147.32.96.69 100000 1000 10 161

Thu Aug 18 12:11:04 CEST 2011

We changed the bandwidth to 100000kbps.

Thu Aug 18 12:11:54 CEST 2011

We stopped the attack.

Thu Aug 18 12:12:20 CEST 2011

We started the UDP flood again using only 1000 bytes per packet. .udpflood 147.32.96.69 100000 1000 10 161

Thu Aug 18 12:13:32 CEST 2011

We erase the bandwidth limit. But not change in the amount of packets was seen.

Thu Aug 18 12:14:53 CEST 2011

We stopped the attack.

Thu Aug 18 12:16:44 CEST 2011

We tried .synflood, ddos.syn and ddos.ack but they did not worked.

Thu Aug 18 12:18:15 CEST 2011

We used .icmpflood 147.32.96.69 1000

Thu Aug 18 12:18:45 CEST 2011

We put the bandwidth again in 100000kpbs

Thu Aug 18 11:31:31 CEST 2011

We stopped the icmp flood. It was successful! I can not ping the victim nor connect with ssh.

Thu Aug 18 12:33:26 CEST 2011

We start to stop all the vms.

Thu Aug 18 12:36:02 CEST 2011

We end stopping the vms.

---- 1 hour later... ----

Thu Aug 18 13:46:31 CEST 2011

We start to start the vms again. Bandwidth is still in 100000kpbs The vms are already infected with the rbot

Thu Aug 18 13:52:51 CEST 2011

We end starting the vms.

Thu Aug 18 13:53:35 CEST 2011

We login in the vms using IRC. .login zarasa48

Thu Aug 18 13:56:52 CEST 2011

We started the UDP flood attack again.

Thu Aug 18 14:05:48 CEST 2011

We changed the bandwidth to 1000000kpbs

Thu Aug 18 14:06:12 CEST 2011

We started the UDP flood attack again.

Thu Aug 18 14:07:25 CEST 2011

We stopped the attack because it seems not to be using the whole bandwidth

Thu Aug 18 14:09:04 CEST 2011

We started the UDP flood attack again.

Thu Aug 18 14:09:29 CEST 2011

We stopped the attack because it seems not to be using the whole bandwidth

Thu Aug 18 14:10:08 CEST 2011

We started the UDP flood attack again.

Thu Aug 18 14:10:43 CEST 2011

We stopped the attack because it seems not to be using the whole bandwidth

Thu Aug 18 14:14:31 CEST 2011

We changed the bandwidth to 10000000kpbs

Thu Aug 18 14:14:47 CEST 2011

We started the UDP flood attack again.

Thu Aug 18 14:15:59 CEST 2011

We stopped the attack because it seems not to be using the whole bandwidth

Thu Aug 18 14:29:28 CEST 2011

We changed the burst to 100kb and keep the bandwidth in 10000000kpbs

Thu Aug 18 14:30:02 CEST 2011

We started the UDP flood attack again.

Thu Aug 18 14:30:38 CEST 2011

We stopped the attack because it seems not to be using the whole bandwidth

Thu Aug 18 14:39:52 CEST 2011

We changed the burst to 100kb and the bandwidth to 100000000kpbs

Thu Aug 18 14:41:27 CEST 2011

We started the UDP flood attack again.

Thu Aug 18 14:42:07 CEST 2011

We stopped the attack because it seems not to be using the whole bandwidth

Thu Aug 18 14:42:58 CEST 2011

We changed the burst to 100kb and the bandwidth to 1000000kpbs

Thu Aug 18 14:43:27 CEST 2011

We started the ICMP flood attack again.

Thu Aug 18 14:44:04 CEST 2011

We stopped the attack because was using to much bandwidth i think. I can not ping the victim. I'm not sure that the attack really stopped...

Thu Aug 18 14:46:00 CEST 2011

We start to power off the vms.

Thu Aug 18 14:53:04 CEST 2011

We ended to power off the vms.

Thu Aug 18 14:56:55 CEST 2011

We start the vms again.

Thu Aug 18 14:58:53 CEST 2011

We end starting the vms again.

Thu Aug 18 14:59:35 CEST 2011

We changed the burst to 100kb and the bandwidth to 10000kpbs

Thu Aug 18 15:00:17 CEST 2011

We login into the vms.

Thu Aug 18 15:00:46 CEST 2011

We started the ICMP flood attack again. The attack is working but i can ping the victim without problem.

Thu Aug 18 15:03:42 CEST 2011

We stopped the attack by the IRC.

Thu Aug 18 15:04:31 CEST 2011

We start to power off the vms.

Thu Aug 18 15:07:29 CEST 2011

We ended to power off the vms.

Thu Aug 18 15:07:59 CEST 2011

We changed the burst to 100kb and the bandwidth to 100000kpbs

Thu Aug 18 15:12:50 CEST 2011

We start to start the vms.

Thu Aug 18 15:14:54 CEST 2011

We ended starting the vms.

Thu Aug 18 15:15:25 CEST 2011

We login into the vms.

Thu Aug 18 15:16:38 CEST 2011

We started saruman7 with the ICMP flood attack. 1000 seconds

Thu Aug 18 15:17:52 CEST 2011

We started saruman1 with the ICMP flood attack. 300 seconds only

Thu Aug 18 15:19:00 CEST 2011

We started saruman2 with the ICMP flood attack. 300 seconds only

I think here the attack was successful. No ping any more.

Thu Aug 18 15:20:10 CEST 2011

We started saruman5 with the ICMP flood attack. 300 seconds only

Thu Aug 18 15:21:14 CEST 2011

We started saruman with the ICMP flood attack. 300 seconds only

Thu Aug 18 15:21:57 CEST 2011

We started saruman4 with the ICMP flood attack. 300 seconds only

Thu Aug 18 15:25:51 CEST 2011

I manually restarted saruman7 because was going to continue sending packets. The rest of the bots stopped after 300 seconds.

Thu Aug 18 15:32:04 CEST 2011

We started saruman1 with the ICMP flood attack. 300 seconds only

Thu Aug 18 15:32:53 CEST 2011

We started saruman2 with the ICMP flood attack. 300 seconds only

Thu Aug 18 15:33:35 CEST 2011

We started saruman5 with the ICMP flood attack. 300 seconds only

At this point the attack was successful!!!!!!!! no ssh and no ping!!

Thu Aug 18 15:35:38 CEST 2011

The attack stopped by timeout.

Thu Aug 18 15:37:05 CEST 2011

We stopped all the vms

WARNING!! I think that due to a disk space outrun in the computer, the overall capture file ended early.

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org