What are the best bot detection tools?

BROWSE BY TAG Network Intrusion Detection and Analysis,   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   Malware, Viruses, Trojans and Spyware,   Expert Archive: Information Security Threats,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Monitoring Network Traffic and Network Forensics Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Expert Archive: Information Security Threats The telltale signs of a network attack Will Google Chrome enhance overall browser security? Are there antivirus suites that pick up more than just run-of-the-mill viruses? What tools can a hacker use to crack a laptop password? Are social networking sites an easy target for malicious hackers? What are the dangers of cross-site request forgery attacks (CSRF)? Should social engineering tests be included in penetration testing? What kind of data is compromised during a Google hack? Best practices for using restriction policy whitelists Defining mobile device security concerns

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bridge  (SearchSecurity.com) computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) inverse mapping  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) network forensics  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Bots have various artifacts that they leave on a computer. Nearly all of them have one or more processes that can be seen in Task Manager or in the output of the tasklist command. Some, but not all, use services that can be viewed in the services control panel. Some bots alter the startup settings so that they can launch themselves automatically when the system boots up or when a user logs on.

On a Windows XP, 2003 or Vista machine, you can check those autostart settings by going to Start => Run and typing 'msconfig.exe.' Since all of the bot families manifest themselves in different ways, though, there is no single bot attribute for which you can search. Also, if the bad guy installs a rootkit to conceal the bot, detection can be even more difficult.

I've written several articles on how to analyze a machine to see if malware has been installed, and those malware detection techniques certainly apply to bots as well. I don't want to reiterate those articles, but I'd like to point out an additional vector for bot detection and identification: a sniffer.

Several very good sniffers are available for free, including WinDUMP and Wireshark. These tools capture packets and display them to their users. Most bots have very distinctive network communication patterns, which a sniffer can observe. Ideally, you should install a sniffer on a separate machine, a computer that is different from the one that may be infected. You can then use a hub or a tap to monitor its communications to the Internet.

Even if you don't have a separate machine, you may be able to install the sniffer on the same box that you are analyzing. Most bots will let the sniffer run unimpeded, although some do hide traffic from a sniffer or even attack it as it is runs.

Once the sniffer is running, look for anomalies in the network traffic. The more primitive bots use Internet Relay Chat on TCP port 6667 for their command and control channel. Others use a barrage of UDP packets for control. Most legit UDP traffic on a machine will either be DNS queries and responses or streaming audio or video. Other DNS results could be a concern.

In addition to showing the ports and protocols that a machine uses to communicate, a sniffer will also show the IP addresses that a machine is contacting. Look up those addresses to see what systems are on the other side. You can use a whois identification client, which is built into most Linux/Unix/Mac OS X machines; it is also freely available for Windows in many forms. You can also rely on a public page that does whois lookups. Type in the IP address, and that site will look up the associated organization. If your machine has taken up a sudden interest in a computer in some faraway country, one that you don't think it should be talking to, you may have a bot.

As for the best detection mechanism, you are correct. Today, antivirus and antispyware tools can detect hundreds of different bot variants using signature and heuristic techniques, but they aren't perfect, especially since new bot software is developed and released every week. That's why I offer the sniffer approach above, in the event that the bot dodges an antivirus and antispyware tool.

More information: