######################################################## Malware Capture Facility CVUT University, Prague, Czech Republic These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz Vojtech Uhlir: vojtech.uhlir@agents.fel.cvut.cz Disclaimer: You are free to use these files as long as you reference this project and the authors. ######################################################## CLF === The CLF (Common Log Format) file contains the web logs of the pcap file as extracted by the justsniffer tool. The command used was: justniffer -p "port 80 or port 8080 or port 3128" -f file.pcap > file.clf Weblogs ======= The weblogs are files similar to the CLF file but with another format. They were generated with these command : justniffer -f $1 -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) %dest.port %response.code %response.size %source.port %request.size http://%request.header.host%request.url %connection.time %dest.ip %source.ip %response.header.content-type %request.header.referer \"%request.header.user-agent\"" |awk '{if ($11 ~ /\;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "$10" "substr($11,1,match($11,/\;/)-1)" "$13" "$14" "substr($0,index($0,$15)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "substr($0,index($0,$10))}'|awk '{printf "%.3f %s %s %s %s %s %s %.0f %s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, substr($0,index($0,$10))}' > $FILE.weblog Netflows ======== The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. We are using bidirectional argus records. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ralabel -f ralabel.conf -r file.argus -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled If you need the netflows without the labels, just regenerate them without the ralabel command. Pcap ==== The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox. Then, the pcap captures can not be merged. Labels ====== Labels were assigned using the ralabel program from the argus suite. The assignment rules are not being published, but can be requested by mail. Generic info ------------ Binary used: omQUd.exe Md5: 76f6ec1ee2c62f2e768477e3d80e3b2c Probable Name: Virustotal link: Infected Machines: Windows Name: Win9, IP: 10.0.2.109 (Label: Botnet-V1) Windows Name: Win5, IP: 10.0.2.105 (Label: Botnet-V2) Timeline ======== Tue Sep 10 11:03:40 CEST 2013 Win9 infected Malware has deleted itself when launched, it generated a lot of encrypted traffic.. experiment is running.. Tue Sep 10 12:00:46 CEST 2013 Win5 infected Malware has deleted itself and it tries some crypted communication, leave it running... Tue Sep 10 16:42:09 CEST 2013 Only encrypted communication in log with few particular IP addresses.. Very interesting.. Some tcp normal request for html pages, but answers contain always that document was moved... Keep that runnning.. Tue Sep 10 16:48:49 CEST 2013 There is encrypted communication, few tcp and also udp handshakes... still running.. Fri Sep 13 15:47:42 CEST 2013 There is periodicity in ssl, tcp and udp connections. Not so much traffic, but it perodicaly asks and gets answers.. Wed Nov 6 10:42:04 CET 2013 win5 stopped. Wed Nov 6 10:42:41 CET 2013 win9 stopped Traffic Analysis ================