Index of /publicDatasets/CTU-Malware-Capture-Botnet-53

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]3d3d%3F%3F%3F%3F.xls.exe.zip2015-12-16 10:28 660K 
[TXT]README.html2017-05-21 18:35 9.4K 
[TXT]README.md2017-05-21 18:34 8.4K 
[   ]WARNING-WRONG-NETFLOW-capture20110818-2.pcap.netflow.labeled2014-07-16 09:48 37M 
[TXT]botnet-capture-20110819-bot.html2016-05-10 10:46 15M 
[   ]botnet-capture-20110819-bot.json2016-05-10 10:46 28M 
[   ]botnet-capture-20110819-bot.pcap2011-08-19 11:46 281M 
[DIR]bro/2017-04-17 12:53 -  
[   ]capture20110819.binetflow.2format2017-05-08 20:40 77M 
[   ]capture20110819.truncated.pcap.bz22015-07-21 09:23 219M 
[DIR]detailed-bidirectional-flow-labels/2015-05-14 11:55 -  

CTU-Malware-Capture-Botnet-53 or Scenario 12 in the CTU-13 dataset.

Description

Files

IP Addresses

- Infected hosts
    - 147.32.84.165: Windows XP English version Name: SARUMAN. Label: Botnet. Amount of bidirectional flows: 807
    - 147.32.84.191: Windows XP English version Name: SARUMAN1. Label: Botnet. Amount of bidirectional flows: 766
    - 147.32.84.192: Windows XP English version Name: SARUMAN2. Label: Botnet. Amount of bidirectional flows: 570
- Normal hosts:
    - 147.32.84.170 (amount of bidirectional flows: 4359, Label: Normal-V42-Stribrek)
    - 147.32.84.134 (amount of bidirectional flows: 2145, Label: Normal-V42-Jist)
    - 147.32.84.164 (amount of bidirectional flows: 1075, Label: Normal-V42-Grill)
    - 147.32.87.36 (amount of bidirectional flows: 32, Label: CVUT-WebServer. This normal host is not so reliable since is a webserver)
    - 147.32.80.9 (amount of bidirectional flows: 3, Label: CVUT-DNS-Server. This normal host is not so reliable since is a dns server)
    - 147.32.87.11 (amount of bidirectional flows: 1, Label: MatLab-Server. This normal host is not so reliable since is a matlab server)

Important Label note

Please note that the labels of the flows generated by the malware start with "From-Botnet". The labels "To-Botnet" are flows sent to the botnet by unknown computers, so they should not be considered malicious perse. Also for the normal computers, the counts are for the labels "From-Normal". The labels "To-Normal" are flows sent to the botnet by unknown computers, so they should not be considered malicious perse.

Timeline

Fri Aug 19 10:32:08 CEST 2011

We started the overall capture.

Bandwith is 100kbps and burst is 1000kb

Fri Aug 19 10:41:22 CEST 2011

We started the bot capture. This malware use to scan UDP ports.

Fri Aug 19 10:41:59 CEST 2011

We started the vm saruman.

Fri Aug 19 10:42:39 CEST 2011

We infected the vm.

Fri Aug 19 10:46:39 CEST 2011

We started saruman1 vm

Fri Aug 19 10:47:18 CEST 2011

We infected saruman1 vm

Fri Aug 19 10:49:09 CEST 2011

We started saruman2 vm

Fri Aug 19 10:50:25 CEST 2011

We infected saruman2 vm.

Fri Aug 19 10:53:11 CEST 2011

We changed the bandwith limit to 5000kbps and burst 1000kb But we are not sure it worked. We see no change in the amount of flows. Perhaps we should wait some minutes.

Fri Aug 19 11:44:17 CEST 2011

We stopped the vms.

Fri Aug 19 11:45:29 CEST 2011

We stopped both captures.

Traffic Analysis

The bot uses P2P protocol.

There is an interesting use of P2P, for example: 2011-08-19 10:44:25.688258 IP 58.153.244.139.7600 > 147.32.84.165.7600: UDP, length 1056

    E..<....n.Q/:.... T......(....E.x..YjG|.U..Q.7.2.>..Z........................./html/client/resource_new//p6.gifPK...........r.?..^M.8'...B..%.................../html/client/resource_new//reom.jpgPK...........r.?]..YY...Y...#.............'9..../html/client/resource_new//p
    8.gifPK...........r.?]...........(..............9..../html/client/resource_new//gametop.gifPK...........n-=K..........................;..../html/client/resource_new//newmovie-game.gifPK..........6.4=C..ai...V...,..............=..../html/client/resource_new//soft-100920.j
    pgPK............5=.........7..'.............~B..../html/client/resource_new//reom-1.jpgPK...........r.?........#...(..............`..../html/client/resource_new//newgame.gifPK...........r.?............)..............b..../html/client/resource_new//newmovie.gifPK.........
    ..r.?....W...W...#..............e..../html/client/resource_new//p5.gifPK...........r.??.......^...3..............e..../html/client/resource_new//client_YuanZhengol.jpgPK...........r.?3.(:Y^M......3.................../html/client/resource_new//client_WeiBiaoTi-2.jpgPK....


Part of the content of the connection 147.32.84.165.1037 > 91.212.135.158.5678 is:
14:41:31.010119 IP 147.32.84.165.1037 > 91.212.135.158.5678: Flags [S], seq 3086438333, win 64240, options [mss 1460,nop,nop,sackOK], length 0
E..0.2@...0^. T.[.........O.....p...............
14:41:31.068836 IP 91.212.135.158.5678 > 147.32.84.165.1037: Flags [S.], seq 188364771, ack 3086438334, win 65535, options [mss 1460,sackOK,eol], length 0
E..0t.@.1.      .[.... T......:7...O.p...S...........
14:41:31.069146 IP 147.32.84.165.1037 > 91.212.135.158.5678: Flags [.], ack 1, win 64240, length 0
E..(.3@...0e. T.[.........O..:7.P.............
14:41:31.069431 IP 147.32.84.165.1037 > 91.212.135.158.5678: Flags [P.], seq 1:8, ack 1, win 64240, length 7
E../.4@...0]. T.[.........O..:7.P.......HALLO

14:41:31.227776 IP 91.212.135.158.5678 > 147.32.84.165.1037: Flags [.], ack 8, win 65535, length 0
E..(v=@.1..[[.... T......:7...O.P.............
14:41:31.228146 IP 147.32.84.165.1037 > 91.212.135.158.5678: Flags [P.], seq 8:128, ack 1, win 64240, length 120
E....5@.../.. T.[.........O..:7.P.......Hash: 66b8864b660eae1bfb9750b1b3e9b449
ID: svchosta
Session:
Domain: NA
RBL: 0
Sent: 0
Failed: 0
Catchall: 0

14:41:31.287662 IP 91.212.135.158.5678 > 147.32.84.165.1037: Flags [.], seq 8:1468, ack 128, win 65535, length 1460
E...v.@.1...[.... T......:7...P=P...W{..Session: bf3028de44a0da8f4f58c3663514c082
IP: 147.32.84.165
Keep-Alive: 1
RBL: bl.spamcop.net
Max-To: 6
Max-Threads: 60
ProxyLock: 0
BlockCatchalls: 0
Clear Buffers
Macro: 26
DIGIT
0
1
2
3
4
5
6
7
8
9
Macro: 385
FMNAME
james
john
robert
michael
william
david
richard
charles
joseph
thomas

(This is the list of users or mabe passwords to crack and send spam probably)

Disclaimer

These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic.
The goal is to store long-lived real botnet traffic and to generate labeled netflows files.
Any question feel free to contact us:
Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows:
Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org