DISCLAIMER: The traces in this directory contain real attacks, captured
in the wild, targeting real production systems (not honeypots). They are
provided "as is" - please use them carefully.

      Name                          Last modified       Size  Description


[DIR] Parent Directory              13-Oct-2009 12:02      -  
[   ] 20070116_161542_port445.pcap  14-May-2007 16:30     9k  
[   ] 20070127_193144_port445.pcap  14-May-2007 16:30     6k  
[   ] 20070212_104836_port135.pcap  14-May-2007 16:30     3k  
[   ] 20070304_215131_port80.pcap   14-May-2007 16:30     2k  
[   ] 20070305_131920_port2967.pcap 14-May-2007 16:30     5k  
[   ] 20070329_082350_port2967.pcap 14-May-2007 16:30     5k  
[   ] 20070330_074616_port445.pcap  14-May-2007 16:30     9k  
[   ] 20070417_103509_port445.pcap  14-May-2007 16:30     6k  
[   ] 20070423_115515_port139.pcap  14-May-2007 16:30     5k  
[   ] 20070507_112854_port445.pcap  14-May-2007 16:30     8k  
[   ] 20070507_114400_port445.pcap  14-May-2007 16:30     4k  
[   ] 20070507_130240_port1025.pcap 14-May-2007 16:30     2k  
[   ] 20070507_141755_port445.pcap  14-May-2007 16:30     5k  
[   ] 20070507_145032_port445.pcap  14-May-2007 16:30     8k  
[   ] 20070510_171203_port445.pcap  14-May-2007 16:30     6k  
[   ] 20070514_140648_port139.pcap  14-May-2007 16:30     4k  
[   ] 20070514_153221_port139.pcap  14-May-2007 16:30     6k  
[   ] 20070828_221617_port143.pcap  30-Aug-2007 18:40     2k  


Here you can find network traces of attacks captured at various LOBSTER passive
monitoring sensors [1]. The attacks were detected in the wild [5] by the
prototype implementation of the Network-level Emulation attack detection method
[2, 3], which identifies the presence of self-modifying polymorphic shellcode
in network streams. We have focused on providing a few diverse traces of
attacks against different services and using different exploits or shellcodes,
rather than providing a bulk of almost identical attack instances.

Trace details

All files are full payload traces in libpcap format. Each trace corresponds to
a single attack attempt and contains all packets of the network flow (5-tuple)
of the particular attack instance, including the initial TCP 3-way handshake.
Traces are named in the form [date]_[time]_[dstport].pcap, where [dstport] is
the port number of the attacked service.

Anonymization

Every effort has been made to anonymize the traces and remove any sensitite
personal or professional information. All traces have been anonymized using
anontool [6] and netdude [7] as follows: MAC addresses have been zeroed and IP
addresses have been mapped to fake addresses (usually 1.0.0.1 for the attacking
host and 1.0.0.2 for the victim host). Any other payload data that could reveal
the attacking or victim hosts have also been anonymized - e.g., the HTTP 'Host'
filed is changed to a fake address:

    Host: 10.123.12.123\r\n

while various SMB or DCERPC fields that contain IP addresses, host names, or
other identifiers, are sanitized - e.g.:

    principal: xxxxxx$@XXXXXX.XXX
    Server NetBIOS Name: XXXXXX
    Domain DNS Name: xxxxxx.xxx
    Path: \\10.123.12.12\IPC$

The checksums of all modified packets have been fixed accordingly.

Please note that in most cases, the encrypted shellcode (which is exposed only
at runtime) may contain the IP address or URL of a "seeding" host from which
the actual malware executable is downloaded. We have avoided including attack
traces in which the encrypted shellcode contains information about a real host.
Such information cannot be easily anonymized, since it is not exposed on the
wire. Thus, here you will find only attacks that use either a bindshell or
similar "listening" shellcodes, or that do contain some "download and execute"
shellcode, but only of instances where it (mistakenly) tried to connect to a
non-existent or private address (e.g., http://0.0.0.0/foo.exe). Since most of
the attacks in the wild do contain a download and execute shellcode, this
severely limits the number of traces we can make available. For thir reason, we
have also included a few traces in which we have manually sanitized the
encrypted seeding URL (e.g., http://xxxxxx.xxx/1.exe) by reverse engineering
the encryption algorithm [4].


Contact

Michalis Polychronakis, mikepo@ics.[see URL]


References

[1] The LOBSTER Project. http://www.ist-lobster.org

[2] Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. 
    Network-level Polymorphic Shellcode Detection using Emulation. In
    Proceedings of the Third Conference on Detection of Intrusions and Malware
    & Vulnerability Assessment (DIMVA). July 2006, Berlin, Germany. (pdf)

[3] Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos.
    Emulation-based Detection of Non-self-contained Polymorphic Shellcode. In
    Proceedings of the 10th International Symposium on Recent Advances in
    Intrusion Detection (RAID). September 2007, Queensland, Australia. (pdf)

[4] Michael Foukarakis, Demetres Antoniades, and Michalis Polychronakis.
    Deep packet anonymization. In Proceedings of the European Workshop on
    System Security (EuroSec), March 2009. (pdf)

[5] Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos.
    An empirical study of real-world polymorphic code injection attacks. In
    Proceedings of the 2nd USENIX Workshop on Large-scale Exploits and Emergent
    Threats (LEET), April 2009. (pdf)

[6] Anontool. http://www.ics.forth.gr/dcs/Activities/Projects/anontool.html

[7] NetDude. http://netdude.sourceforge.net/