Malware Capture Facility CVUT University, Prague, Czech Republic These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia, sebastian.garcia@agents.fel.cvut.cz Vojtech Uhlir file.clf Weblogs ======= The weblogs are files similar to the CLF file but with another format. They were generated with these command : justniffer -f $1 -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) %dest.port %response.code %response.size %source.port %request.size http://%request.header.host%request.url %connection.time %dest.ip %source.ip %response.header.content-type %request.header.referer %request.header.user-agent" |awk '{if ($11 ~ /\;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "$10" "substr($11,1,match($11,/\;/)-1)" "$13" "$14" "substr($0,index($0,$15)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "substr($0,index($0,$10))}'|awk '{printf "%.3f %s %s %s %s %s %s %.0f %s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, substr($0,index($0,$10))}'|grep -v "Mb\|rZl" > $FILE.weblog # The last grep is to avoid some lines with binary data. Sometimes the botnet uses these port but not for http, so we delete them Netflows ======== The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. We are using bidirectional argus records. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ralabel -f ralabel.conf -r file.argus -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled If you need the netflows without the labels, just regenerate them without the ralabel command. Pcap ==== The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox. Then, the pcap captures can not be merged. Labels ====== Labels were assigned using the ralabel program from the argus suite. The assignment rules are not being published, but can requested by mail. Generic info ------------ Binary used: 3ab45z.exe Md5: d17b59049aa4cfc31c87515bb30f11f9 - The password of the zip is: infected Probable Name: ? Virustotal link: https://www.virustotal.com/en/file/dc991de6ae9989902c1e59d30050223de5a0c1327c2e54e0f6da8134e3f447ca/analysis/ Infected Machines: Windows Name: Win6, IP: 10.0.2.106 (Label: Botnet-V1) Windows Name: Win8, IP: 10.0.2.108 (Label: Botnet-V2) Windows Name: Win11, IP: 10.0.2.111 (Label: Botnet-V3) Timeline ======== Fri Jul 12 14:08:47 CEST 2013 Today infected at cvut Fri Jul 12 14:00:00 CEST 2013 APPROX Win8 infected Fri Jul 12 14:08:58 CEST 2013 Win6 infected. Fri Jul 12 18:37:58 CEST 2013 Win11 infected Traffic Analysis ================ BEHAVIOR ANALYSIS: using google.cz to check wheather it has internet connection trying to access domain by ssl: verisign-grs mfkntvopmdfujkbydwohea mfkntvopmdfujkbydwohea GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: yhlnibrgxwxplfjsoauondhunv.com Connection: Close GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: gmuolojtytvgukdivxdrson.info Connection: Close GET command for a server HTTP/1.1 200 OK Date: Fri, 12 Jul 2013 12:34:29 GMT Server: Apache/2.2.3 (Red Hat) X-Powered-By: PHP/5.3.21 Vary: Accept-Encoding,User-Agent Content-Length: 2343 Content-Type: text/html; charset=UTF-8 Connection: close top.location="http://gmuolojtytvgukdivxdrson.info/?fp=dFeRpXK4jPG%2BE%2B4tpaUhru%2FCbP57L2HhhnS91eIY2no5DvRG94gSxIBoUgreqKYmCnV5Z%2Fl6DXBqcku3YFvruQ%3D%3D&prvtof=37G5LWfJnM3A4q8SP49gXE WgzHpzUYcvdHAbSqmbiG4%3D&poru=q6pC6TbqWI93ngOF3u%2BVsYS95vZshK7RrXo7TmgeD4IbqD1DRaQNPFy4XJbaKhX3zi%2BmdJJpRnehi%2BIJuu0ryg%3D%3D&cifr=1&"; <body bgcolor="# ffffff" text="#000000"> <a href="http://gmuolojtytvgukdivxdrson.info/?fp=dFeRpXK4jPG%2BE%2B4tpaUhru%2FCbP57L2HhhnS91eIY2no5DvRG94gSxIBoUgreqKYmCnV5Z%2Fl6DXBqcku3YFvruQ%3D%3D&prvtof=JaJmZBG1PtGMMvWdS6h1DUJvY200xBDogrdMpBZOK0c%3D&poru=7vIVSZVtcpZWcoq2J8sWwPOZYZ8GvEIfrkA%2BPdrWThePfDyDI6j9QzzcDTxcOP84HyOmIRWaVHafAZiRH55Pag%3D%3D&">Click here to proceed</a>. The I doesnt correspond with IP od infected computer: GET / HTTP/1.1 Accept: */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0) Host: hmraeqijkjzluxpxrclfyeqs.info Connection: Close HTTP/1.1 200 OK Server: nginx/1.2.4 Date: Mon, 15 Jul 2013 06:35:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=4561a8f5fef0d9caa0f88d61f61d8447|194.228.13.52|1373870143|1373870143|0|1|0 Set-Cookie: snkz=194.228.13.52 whois 194.228.13.52 % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '194.228.13.0 - 194.228.13.255' inetnum: 194.228.13.0 - 194.228.13.255 netname: CGNAT descr: NAT for xDSL descr: Prague country: CZ admin-c: LET9-RIPE tech-c: LET9-RIPE status: ASSIGNED PA mnt-by: AS5610-MTN source: RIPE # Filtered person: Miroslav Letak address: Telefonica O2 Czech Republic, a.s. address: Za Brumlovkou 2 address: Prague 4 - 140 22 address: The Czech Republic phone: +420 2 71466182 fax-no: +420 2 71466115 nic-hdl: LET9-RIPE source: RIPE # Filtered % Information related to '194.228.0.0/17AS5610' route: 194.228.0.0/17 descr: CZ.CZNET origin: AS5610 mnt-by: AS5610-MTN source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.67.4 (WHOIS1) It seems that this IP still our one, because of redirecting of network traffic. It doesnt send spam. None. @tcp connection: tcp 10.0.2.20 49167 -> 96.43.141.186 80 related to this skhqovlywtfeylueozkjw.info domain. 1970/01/01 01:41:49.046393 0.000000 flow=From-Botnet-V1-UDP-Attem* udp 10.0.2.20 27543 -> 190.255.84.209 From this point the malware tried to contact multiple destinations with IP@ and diff. ports. Interesting GET: GET /vThj.exe HTTP/1.1 04:55:19.106897 IP 10.0.2.20.51717 > 82.102.9.22.80: Flags [.], ack 1, win 64240, length 0 E..(S.@...@= ...Rf ....PRx.I....P....... 04:55:19.107105 IP 10.0.2.20.51717 > 82.102.9.22.80: Flags [P.], seq 1:272, ack 1, win 64240, length 271 E..7S.@...?- ...Rf ....PRx.I....P.......GET /vThj.exe HTTP/1.1 A second download: 07:01:43.553968 IP 10.0.2.20.52389 > 50.63.25.37.80: Flags [P.], seq 1:279, ack 1, win 64240, length 278 E..>v @...,9 ...2?.%...P...t....P...(...GET /load23.exe HTTP/1.1 Most of the domains are most likely from DGA, but it might be not completely random. Output is in dns conlusion file - 2013-08-20_capture-win6.dns.names