Index of /publicDatasets/CTU-Malware-Capture-Botnet-91
Description
Description
This capture was done in a real network of normal hosts, where we infected some of them with some malware.
Files
- .capinfos
- .dnstop
- mitm.out
- Mitm proxy interception file of http and https
- .mitm.weblog
- This is the HTTP and HTTPS web log that includes Labels. This is the preferred file for web analysis.
- This file includes a header with the columns names. There are two new columns defined by us:
- Column id: This number is unique for all the weblogs generated inside the same TCP connection. When a TCP connection is opened and several GET/POST, etc., requests are made inside it, all of them are assigned the same Id in this file.
- Column timestamp_end: This is the timestamp when the weblog ended. If you use this with the id column you can compute the total duration of the TCP connection that generated all the weblogs. Similar to the duration of a hypothetical CONNECT request if this would have been done using a proxy.
- .passivedns
- .pcap
- .rrd
- .weblogng
- WEB log of http traffic only. Generated with justsniffer
- .exe.zip
- bro
- Folder with all the bro output files
- .biargus
- Argus binary file. Bidirectional flows, 3600s of report time.
- .binetflow
- Argus text file with bidirectional flows. Report time 3600 secs.
- .uniargus
- Argus binary file. Unidirectional flows, 5s of report time.
- .uninetflow
- Argus text file with unidirectional flows. Report time 5 secs. TAB as column separator.
IP Addresses
Normal Computers
Total normal hosts in the capture:
- 192.168.0.118
- 192.168.1.6
- 192.168.1.240
- 192.168.1.36
- 192.168.1.52
- 192.168.1.53
- 192.168.1.55
- 192.168.1.64
- 192.168.1.100
- 192.168.1.155 -> We didn't infected this one, but it has some behavior like it was infected with other malware. Tries to connect to all the NetBIOS and SMB protocols in the network! We consider it as infected.
- 192.168.1.157
- 192.168.1.240
Infected Computers
The hosts we infected with the malware are:
- 192.168.1.9 -> msn, resolve some domains, tried some port 80, tlknwgjshvg.info answered port 80, send GET /search?q=6. Din't receive any response. Keep trying. Resolve more domains, some up. Web connection to dzsspovc.cn port 80, sends GET /search?q=6, no answer. Keep resolving and trying to connect several times. There were 2 ok responses, both with only this
0x0a0b0c0d0e0f0xwwddooppwddwd0909ssww
.
- 192.168.1.71 -> msn, resolve some domains, connect to some web ports GET /search/q=5 . Repeat this several times.
- 192.168.1.91 -> uppinghm.demon.co.uk, uppington1975.wanadoo.co.uk, uppington.fsnet.co.uk, uppingham22.fsnet.co.uk, uppinham.co.uk, uppleby.wanadoo.co.uk, uppinghm.demon.co.uk
- 192.168.1.236 -> baxall.com, bankexperts.co.uk
- 192.168.1.238 -> msn
- 192.168.1.239 -> willowtreehouse.co.uk, houndsditch-city.prontaprint.com
- 192.168.1.242
- 192.168.1.243 -> talk21.com(mx1.talk21.mail.yahoo), mx1.talk21.mail.yahoo.com, mx2.talk21.mail.yahoo.com
- 192.168.1.245
- 192.168.1.247 -> btinternet.com
DNS connections coming from Normal hosts
- 192.168.1.36-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.36-200.51.43.5-53-udp (No label because is too small)
- 192.168.1.52-200.51.43.5-53-udp (No label because is too small)
- 192.168.1.52-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.64-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.64-200.51.43.5-53-udp (No label because is too small)
- 192.168.1.155-192.168.5.1-53-udp (No label because is too small)
DNS connections coming from Botnet hosts:
- 192.168.1.155-200.51.43.5-53-udp (From-Botnet-UDP-DNS-No.Malware.Traffic-1)
- 192.168.1.236-192.168.5.1-53-udp (From-Botnet-UDP-DNS--2196)
- 192.168.1.236-200.51.43.5-53-udp (From-Botnet-UDP-DNS--2197)
- 192.168.1.238-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.238-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA-3)
- 192.168.1.239-192.168.5.1-53-udp (From-Botnet-UDP-DNS--2198)
- 192.168.1.239-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA-4)
- 192.168.1.242-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.242-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA-5)
- 192.168.1.243-192.168.5.1-53-udp (From-Botnet-UDP-DNS--2199)
- 192.168.1.243-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA-6)
- 192.168.1.245-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.245-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA-7)
- 192.168.1.247-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.247-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA-8)
- 192.168.1.71-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.71-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA-9)
- 192.168.1.9-192.168.5.1-53-udp (No label because is too small)
- 192.168.1.9-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA-10)
- 192.168.1.91-192.168.5.1-53-udp (From-Botnet-UDP-DNS--2200)
- 192.168.1.91-200.51.43.5-53-udp (From-Botnet-UDP-DNS-DGA.and.Websites-1)
There is a web page that seems to have all the names of the domains resolved by this malware: ftp://ftp.paudni.kemdiknas.go.id/pub/serbi/_gGg/all_domains.txt
Timeline
Thu Sept 23 12:42:41 ART 2010
Started the experiment
Analysis
This capture contains several infected pcs and normal pcs.
SMB
Conficker attempted to connect port 445/tcp of several computers in the same network. These connections attempted to access the files in other computers and then upload infected exe files.
The file capture.botnet2.infected.1.only445.pcap contains only the packets to port 445/tcp. In this file you can see that
The order of attacks is pretty confusing and it seems that every computer is attacking the rest at some point. However, it is possible to see how they are coping and uploading exe files to other computers. The complete set of files can be found in the folder /uploaded-infected-files/ These files are infected, as it can be seen for the file __CURSO_PC18_WEB__Firefox_Portable_3.0.10_en-us.paf.exe in VirusTotal.
Disclaimer
These files were generated in the Stratosphere Lab as part of the Malware Capture Facility Project in the CVUT University, Prague, Czech Republic. The goal is to store long-lived real botnet traffic and to generate labeled netflows files. Any question feel free to contact us: Sebastian Garcia: sebastian.garcia@agents.fel.cvut.cz
You are free to use these files as long as you reference this project and the authors as follows: Garcia, Sebastian. Malware Capture Facility Project. Retrieved from https://stratosphereips.org