######################################################## Malware Capture Facility CVUT University, Prague, Czech Republic These files were generated as part of a research project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz Vojtech Uhlir: vojtech.uhlir@agents.fel.cvut.cz Disclaimer: You are free to use these files as long as you reference this project and the authors. ######################################################## CLF === The CLF (Common Log Format) file contains the web logs of the pcap file as extracted by the justsniffer tool. The command used was: justniffer -f file.pcap > file.clf Weblogs ======= The weblogs are files similar to the CLF file but with another format. They were generated with these command : justniffer -f $1 -p "port 80 or port 8080 or port 3128" -l "%request.timestamp2(%s) %dest.port %response.code %response.size %source.port %request.size http://%request.header.host%request.url %connection.time %dest.ip %source.ip %response.header.content-type %request.header.referer %request.header.user-agent" |awk '{if ($11 ~ /\;/) print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "$10" "substr($11,1,match($11,/\;/)-1)" "$13" "$14" "substr($0,index($0,$15)); else print $1" "$2" "$3" "$4" "$5" "$6" "$7" "($8*1000)" "$9" "substr($0,index($0,$10))}'|awk '{printf "%.3f %s %s %s %s %s %s %.0f %s %s\n", $1, $2, $3, $4, $5, $6, $7, $8, $9, substr($0,index($0,$10))}'|grep -v "Mb\|rZl" > $FILE.weblog # The last grep is to avoid some lines with binary data. Sometimes the botnet uses these port but not for http, so we delete them Netflows ======== The netflows are generated using the 2013-08-12_argus.conf file, the 2013-08-12_ra.conf file and the 2013-08-12_ralabel.conf conf file. We are using bidirectional argus records. The command used is this: 1- argus -F argus.conf -r file.pcap -w file.argus 2- ralabel -f ralabel.conf -r file.argus -w file.argus.labeled 3- mv file.argus.labeled file.argus (this is to add labels to the argus file) 4- ra -F ra.conf -Z b -nr file.argus > file.argus.netflow.labeled If you need the netflows without the labels, just regenerate them without the ralabel command. Pcap ==== The pcap capture files were done by Virtualbox, because the vms were NATed. This means that all the captures start on 19707/1/1 because of a bug in virtualbox. Then, the pcap captures can not be merged. Labels ====== Labels were assigned using the ralabel program from the argus suite. The assignment rules are not being published, but can be requested by mail. Generic info ------------ Binary used: 1_Jeu_Par_Jour.exe Md5:6d3034e2eac65f5f968c6e8f7a545795 Probable Name: ? Virustotal link: https://www.virustotal.com/en/file/790ea18c31ac614291af3aa087f00f6c6908398248917b0ecbb7c67d5fa87304/analysis/ Infected Machines: Windows Name: Win5, IP: 10.0.2.19 (Label: Botnet-V1) Windows Name: Win6, IP: 10.0.2.20 (Label: Botnet-V2) Timeline ======== Thu Jul 11 14:55:01 CEST 2013 Win5 infected It seems like it tries to connect to a webpages with conduit.com and tries to download something from one IP address. it checks the validation of the malware at other IP addresses.. The result is message CONDUITOK and it stops do everything after 6 minutes of data exchange. File executed, an installation opened - abort the installation to see what will happenned without being finished. It behaves immediately during first 6 minutes. Main traffic with 94.127.78.125 via tcp - http: it goes with GET /ps/conduitinstaller/conduitinstaller.exe HTTP/1.1\r\n TCP handshake works and it is active 199.101.115.1 receives message with a properties for conduit.com as: _AUTOUPDATE_URL_=http://autoupdate.toolbar.conduit-services.com/Update/EB_TOOLBAR_ID/EB_TOOLBAR_VERSION\r\n 199.101.114.117 from this address receives a "ConduitOK" http message 94.127.76.80 http command GET /77/319/ct3192877/Downloads/ChromeWebToolbar/ct3192877.txt HTTP/1.1\r\n and encrypted message 217.212.238.59 http command GET /77/319/ct3192877/Downloads/IE/Releases/setup.ini.txt HTTP/1.1\r\n with properties Host: ie.conduit-download.com After approximately 6 minutes the whole data exchange is done and it stops do everything. Thu Jul 11 15:02:54 CEST 2013 File executed, application installed with all addons. Same behavior as before. Main traffic with 94.127.78.125 via tcp - http: it goes with GET /ps/conduitinstaller/conduitinstaller.exe HTTP/1.1\r\n TCP handshake works and it is active 199.101.115.1 receives message with a properties for conduit.com as: _AUTOUPDATE_URL_=http://autoupdate.toolbar.conduit-services.com/Update/EB_TOOLBAR_ID/EB_TOOLBAR_VERSION\r\n 199.101.114.117 from this address receives a "ConduitOK" http message 94.127.76.80 http command GET /77/319/ct3192877/Downloads/ChromeWebToolbar/ct3192877.txt HTTP/1.1\r\n and encrypted message 217.212.238.59 http command GET /77/319/ct3192877/Downloads/IE/Releases/setup.ini.txt HTTP/1.1\r\n with properties Host: ie.conduit-download.com After approximately 6 minutes the whole data exchange is done and it stops do everything. ------------------------------------------------------------------------------------------------------------------------------------------------------ It doesnt do anything even after 1 hour, experiment cancelled.