The malware
infections diplayed in these
summary tables were harvested live from the SRI high-interaction
honeynet. Our honeynet Drone Manager detects whenever a honeypot
is infected, and we then auto-capture all network comms and host
modifications. For each malware infection, the tables capture:
|
Daily Summary Files:
The set of [DNS Lookups], [Attacker IP] addresses, and [C&C
Servers] that were observed from the set of host infections on this day.
|
Cumulative Summary Files:
The comprehensive sets of [DNS Lookups], [Attacker IP] addresses, and
[C&C Servers] that were observed from all infections listed in this
website. In addition, The [Antivirus Detection] list
summarizes the true positive detection rates of all antivirus results
produced from our Antivirus Labels columns for daily tables. The
[Code Segment Overlap] list code segments with common API and opcode
sequences, along with the unpacked MD5 malware binaries that use these
code sequences.
|
Daily
Infection Table
Column
Descriptions
|
Time
|
|
Victim OS |
- the OS version run by the infected honeypot
|
Infection Source |
- The infection source country code and IP address
|
C&C Address |
- when we observe the C&C channel
|
DNS Lookups |
- all country code and hostnames looked up by the
malware. Usually these addresses are the egg download site or the
C&C address. NOTE: For the comprehensive set of DNS names embedded
in the malware binary, see the Data Strings column
|
Infection
Port |
- the network service port through which the infection is
transmitted
|
Packet Trace |
- the entire libpcap packet trace file that includes all
packet streams observed during the malware infection
|
Detection
Signatures
|
- the BotHunter sensors alerts that fired during the
infection and the isolated list of all snort rules that generated this
alert set
|
Infection
Chatter |
- the strings exchanged by the attacker and victim during
the infection process. Often, this includes the egg download commands
or scipts, and the egg binary name. We try to guess which
protocols are involved and he number of lines that are observed
|
Infection Chatter |
- the strings exchanged by the attacker and victim during
the infection process. Often, this includes the egg download commands
or scipts, and the egg binary name. The attacker and victim tags
identify who produced each chatter line
|
BotHunter Score |
- BotHunter's detection score while observing this
infection (a score less than 0.8 represents a missed detection).
When there is a missed detection, the entire infection row is
highlighted in orange
|
BotHunter Profile |
- the BotHunter profile that was auto-produced during
this infection
|
Forensic
Logs |
- a summary of the system alterations performed during
the infection: executables dropped, listen ports opened, processes
created, registry mods. In addition, the tarball link contains an
archive of all files dropped by the malware onto the infected host, and
the raw detailed forensic logs.
|
Antivirus
Label
|
- the malware binary downloaded to the victim machine is
tested by a suite of up to 31 different malware detection products, and
their detection results and labels are contained by this
link. This data was produced from results provided by
www.virustotal.com
|
Packed
Egg.exe |
- the original infection binary plucked directly from the
packet
stream (usually packed and obfuscated). The cell includes the first 10
digits of the MD5 hash, and the full MD5 hash is embedded in the
filename
|
Unpacked
Egg.exe
|
- the unpacked version of the packed egg, as produced
from the SRI Binary unpacking system, Eureka. The cell includes
the first 10 digits of the MD5 hash, and the full MD5 hash is embedded
in the filename. The cell is color coded to inddicate 1) Green: unpack
was successful, 2) Yellow: the unpacked was successful, but the binary
still appears to be obfuscated, 3) Red: Eureka was unsuccessful in
unpacking this binary. Our unpack log status indicator is
appended to the MD5 filename
|
Unpacked
Egg.asm |
- the unpacked dissembled source code of the infected
malware binary. We included an auto-generated call-graph with
hyperlinks into an assembly index file. This assembly index file
identifies all code segments within the assembly file, all APIs call
and associated data segment references are shown
|
Packer
PEID
|
- detection results of what packer was used to back the
original malware binary
|
Data
Strings
|
- for each successfully unpacked malware egg, we present
the reassembled strings that were found in the datasegment, and isolate
all DNS references that were found inside the malware binary
|
Syscall
Trace
|
- the ordered syscall trace of a dynamic execution run of
the malware binary. This includes the identification all threads, and
the arguments used by each syscall. For each syscall, the top table
idicates how many times the syscall is observed during the execution
trace (Red: once, Purple: less than 5, Blue: 5 or more.
|