Index of /publicDatasets/CTU-Malware-Capture-Botnet-52

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]rbot.exe.zip2015-12-16 10:28 106K 
[   ]ralabel-flowfilter.conf.generic2015-02-02 09:48 220K 
[DIR]detailed-bidirectional-flow-labels/2015-05-14 11:55 -  
[   ]capture20110818-2.truncated.pcap.bz22015-07-21 08:05 80M 
[   ]capture20110818-2.pcap.netflow.labeled2014-07-16 09:50 37M 
[   ]capture20110818-2.binetflow.2format2017-05-08 20:39 25M 
[DIR]bro/2017-04-17 12:53 -  
[   ]botnet-capture-20110818-bot-2.pcap2011-08-18 15:55 4.0G 
[   ]botnet-capture-20110818-bot-2.json2015-05-14 12:59 2.5K 
[TXT]botnet-capture-20110818-bot-2.html2015-05-14 12:59 352K 
[TXT]README.md2023-01-21 11:59 5.2K 
[TXT]README.html2023-01-21 12:00 6.4K 

CTU-Malware-Capture-Botnet-52 or Scenario 11 in the CTU-13 dataset.

Description

Files

IP Addresses

- Infected hosts
    - 147.32.84.165: Windows XP English version Name: SARUMAN. Label: Botnet. Amount of bidirectional flows: 4151
    - 147.32.84.191: Windows XP English version Name: SARUMAN1. Label: Botnet. Amount of bidirectional flows: 4006
    - 147.32.84.192: Windows XP English version Name: SARUMAN2. Label: Botnet. Amount of bidirectional flows: 7
- Normal hosts:
    - 147.32.84.170 (amount of bidirectional flows: 581, Label: Normal-V42-Stribrek)
    - 147.32.84.134 (amount of bidirectional flows: 11, Label: Normal-V42-Jist)
    - 147.32.84.164 (amount of bidirectional flows: 2113, Label: Normal-V42-Grill)
    - 147.32.87.36 (amount of bidirectional flows: 1, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
    - 147.32.80.9 (amount of bidirectional flows: 1, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
    - 147.32.87.11 (amount of bidirectional flows: 2, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)

Important Label note

Please note that the labels of the flows generated by the malware start with “From-Botnet”. The labels “To-Botnet” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels “From-Normal”. The labels “To-Normal” are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.

Timeline

This is a ICMP Dos to a computer done by a IRC botnet controlled by us. With the whole data.

Thu Aug 18 15:39:41 CEST 2011

We started the overall capture.

Thu Aug 18 15:45:44 CEST 2011

We started the bot capture.

Thu Aug 18 15:40:38 CEST 2011

We start to start only three vms.

Thu Aug 18 15:48:07 CEST 2011

We end to start only three vms.

Thu Aug 18 15:48:28 CEST 2011

We start to infect them.

Thu Aug 18 15:49:20 CEST 2011

We ended infecting them.

Bandwith is 100000kbps with 1000kb of burst

Thu Aug 18 15:52:39 CEST 2011

We attck with ICMP in saruman1

Thu Aug 18 15:52:58 CEST 2011

We attck with ICMP in saruman

The attack was successfull with only 2 computers!!!

Thu Aug 18 15:54:44 CEST 2011

The attack ended by timeout.

Thu Aug 18 15:55:13 CEST 2011

We stopped the vms.

Thu Aug 18 15:55:54 CEST 2011

The captures were stopped.

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org