GT Malware Passive DNS Data Daily Feed (07/01/2015 to 12/31/2017)

This dataset contains a daily feed of passive DNS data produced by the Georgia Tech Information Security Center??s malware analysis system. It is produced by executing suspect Windows executables in a sterile, isolated environment, with limited access to the Internet, for a short period of time. Each sample??s use of the DNS is recorded and made available in both raw (packet capture, or PCAP) and plaintext formats. The plaintext format, which contains a subset of information present in the PCAP files, is represented as a series of CSV files named according to the date on which a given set of executables was processed. Each file comprises a series of 3-tuples that provide the executable's MD5 hash, the qname (domain name) of the DNS query, and (if the query was of type A) a resolution IP address for the domain name. Note that in the plaintext format, for a given MD5 and qname there is at most one resolution IP address provided, even if the query resulted in a response record set that contains multiple resolution addresses. This dataset is structured as a set of archives that each correspond to a single day of sample processing-based DNS data collection. Each archive decompresses to a top-level folder containing a CSV file (the plaintext format) and a PCAP subdirectory (the raw format) for that day. The contents of the CSV file are sorted by executable MD5, qname, and resolution IP address. The PCAP subdirectory contains a set of PCAP files that are each named according to the MD5 of the sample that generated the corresponding DNS traffic it contains.