BotHunter®
Sample Malware Analyses
Last Update: 05 June 2009
www.bothunter.net
Here are some recent sample analyses from various malware currently propagating on the Internet.
Table Fields:
Malware - A best guess label
of the malware strain or family
Monitor Start - In these experiments we allowed BotHunter to monitor hosts prior to and during the malware infection process (Pre-Infect) and to monitor hosts that have already been infected before Bothunter is started (Post-Infection).
BotHunter Score - Bot declaration occurs with a BH Score of 0.8 or greater
Dialog Events - read the Snort dialog events generated from the packet trace file.
BotProfile - Bot infection profile produced by BotHunter.
Monitor Start - In these experiments we allowed BotHunter to monitor hosts prior to and during the malware infection process (Pre-Infect) and to monitor hosts that have already been infected before Bothunter is started (Post-Infection).
BotHunter Score - Bot declaration occurs with a BH Score of 0.8 or greater
Dialog Events - read the Snort dialog events generated from the packet trace file.
BotProfile - Bot infection profile produced by BotHunter.
Unix Users: If you wish to download and run these dialog event sample files through your BotHunter installation, you should add the following trusted_net.properties file to the directory where you have stored the dialog event files.
| Malware |
Monitor
Start |
BotHunter
Score |
Dialog
Events |
BotProfile |
|
| 1 |
AdRotator1.A |
Post-Infection |
1.5 |
dialogs=117 |
See Profile |
| 2 |
Adload-Trojan.bp |
Post-Infection |
2.8 |
dialogs=865 |
See Profile |
| 3 |
Adload.bp |
Post-Infection |
2.8 |
dialogs=1379 |
See Profile |
| 4 |
Agobot1.ACM |
Post-Infection |
1.8 |
dialogs=724 |
See Profile |
| 5 |
Agobot2 |
Post-Infection |
1.8 |
dialogs=730 |
See Profile |
| 6 |
Allaple.1 |
Post-Infection |
1.8 |
dialogs=232 |
See Profile |
| 7 |
Allaple1.A |
Post-Infection |
1.8 |
dialogs=948 |
See Profile |
| 8 |
Allaple |
Post-Infection |
1.3 |
dialogs=926 |
See Profile |
| 9 |
Baidu |
Post-Infection |
2.3 |
dialogs=504 |
See Profile |
| 10 |
Bombarder.DoS |
Post-Infection |
1.5 |
dialogs=574 |
See Profile |
| 11 |
Cheburgen.A |
Pre-Infection |
2.6 |
dialogs=16 |
See Profile |
| 12 |
Gobot |
Post-Infection |
1.3 |
dialogs=1855 |
See Profile |
| 13 |
Grum |
Post-Infection |
1.5 |
dialogs=1059 |
See Profile |
| 14 |
IRC733 |
Post-Infection |
1.0 |
dialogs=204 |
See Profile |
| 15 |
IRCBot.ABHQ |
Post-Infection |
1.8 |
dialogs=602 |
See Profile |
| 16 |
Kolabc.NetWorm |
Pre-Infection |
2.3 |
dialogs=26 |
See Profile |
| 17 |
Korgo.N |
Pre-Infection |
2.8 |
dialogs=19 |
See Profile |
| 18 |
Korgo |
Post-Infection |
2.6 |
dialogs=15 |
See Profile |
| 19 |
Kraken_1 |
Post-Infection |
1.0 |
dialogs=73 |
See Profile |
| 20 |
Lewor.Z |
Post-Infection |
2.0 |
dialogs=1270 |
See Profile |
| 21 |
MSNbot |
Post-Infection |
1.3 |
dialogs=478 |
See Profile |
| 22 |
Mimail |
Post-Infection |
1.0 |
dialogs=1270 |
See Profile |
| 23 |
Mytob |
Post-Infection |
2.3 |
dialogs=245 |
See Profile |
| 24 |
Nachi |
Pre-Infection |
2.1 |
dialogs=12 |
See Profile |
| 25 |
NetWorm |
Post-Infection |
1.2 |
dialogs=581 |
See Profile |
| 26 |
Netsky |
Post-Infection |
1.5 |
dialogs=416 |
See Profile |
| 27 |
Nugache |
Post-Infection |
1.3 |
dialogs=805 |
See Profile |
| 28 |
P2P.Backterra.D |
Pre-Infection |
1.0 |
dialogs=38935
|
See Profile |
| 29 |
Padobot.Z |
Pre-Infection |
0.8 |
dialogs=10 |
See Profile |
| 30 |
Pakes.cfj |
Post-Infection |
1.5 |
dialogs=1177 |
See Profile |
| 31 |
Peacomm-Storm |
Post-Infection |
1.3 |
dialogs=1220 |
See Profile |
| 32 |
Plexus |
Pre-Infection |
2.1 |
dialogs=13 |
See Profile |
| 33 |
Protoride |
Post-Infection |
1.5 |
dialogs=720 |
See Profile |
| 34 |
Rbot.Klone |
Pre-Infection |
1.6 |
dialogs=29 |
See Profile |
| 35 |
Sinit |
Post-Infection |
1.5 |
dialogs=615 |
See Profile |
| 36 |
Siwbg |
Post-Infection |
2.0 |
dialogs=550 |
See Profile |
| 37 |
Slaper.Trojan |
Pre-Infection |
1.3 |
dialogs=11 |
See Profile |
| 38 |
Sobit.F |
Post-Infection |
1.0 |
dialogs=757 |
See Profile |
| 39 |
Sobit |
Post-Infection |
1.0 |
dialogs=530 |
See Profile |
| 40 |
Spy11 |
Post-Infection |
1.5 |
dialogs=235 |
See Profile |
| 41 |
Spy12 |
Post-Infection |
2.8 |
dialogs=72 |
See Profile |
| 42 |
Spy21 |
Post-Infection |
1.5 |
dialogs=154 |
See Profile |
| 43 |
Spy22 |
Post-Infection |
2.8 |
dialogs=74 |
See Profile |
| 44 |
Spyware1 |
Post-Infection |
1.5 |
dialogs=381 |
See Profile |
| 45 |
Spyware2 |
Post-Infection |
2.8 |
dialogs=262 |
See Profile |
| 46 |
Spywat |
Post-Infection |
1.3 |
dialogs=245 |
See Profile |
| 47 |
Stamler.Trojan |
Pre-Infection |
2.1 |
dialogs=14
|
See
Profile |
| 48 |
Storm |
Post-Infection |
1.8 |
dialogs=780 |
See Profile |
| 49 |
Surlia.AW |
Pre-Infection |
2.6 |
dialogs=21 |
See Profile |
| 50 |
Trojan-Dropper |
Post-Infection |
1.8 |
dialogs=398 |
See Profile |
| 51 |
Virtool.DelfInject.T |
Pre-Infection |
2.3 |
dialogs=23
|
See Profile |
| 52 |
Virut.N |
Pre-Infection |
2.3 |
dialogs=20 |
See Profile |
| 53 |
Virut |
Post-Infection |
1.8 |
dialogs=223 |
See Profile |
| 54 |
Welchia |
Pre-Infection |
1.3 |
dialogs=8 |
See Profile |
| 55 |
Wootbot |
Pre-Infection |
3.1 |
dialogs=16 |
See Profile |
| 56 |
Zbot.bzc |
Post-Infection |
2.3 |
dialogs=702 |
See Profile |
SRI International http://www.bothunter.net
