Researchers at SRI International announced a free tool this week that can help organizations battle botnets by tracking down infected hosts in their network.
BotHunter monitors the two-way communication flows between compromised computers and external attackers and develops an evidence trail to identify botnet activity. The tool has a correlation engine that uses a customized version of Snort to track inbound scanning, outbound attack propagation and other activity that happens during the infection process.
The tool, which was first unveiled last year at the Usenix Security Symposium in Boston, now supports multiple operating systems and has new features, including a dynamic updating protocol, said Phillip Porras, enterprise and infrastructure security program developer at Menlo Park, Calif.-based SRI and lead developer of the BotHunter project.
So far, there have been about 35,000 downloads of BotHunter, he said.
In addition to Linux, the tool is supported on Windows XP, FreeBSD and Mac OS X. The dynamic updating protocol allows SRI to regularly push new command-and-control (C&C) rules and other detection rules to BotHunter deployments on a daily or weekly basis.
BotHunter also now has a graphical user interface to simplify management and the ability to see malware-related DNS queries, Porras said.
The tool, which is