Home > Security Tips > Scott Sidel's Downloads
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

SCOTT SIDEL'S DOWNLOADS

Use BotHunter for botnet detection


Scott Sidel, Contributor
12.22.2008
Rating: -4.38- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


The biggest threat is usually the one you don't see. If the IDS is quiet and all seems well, maybe the smartest adversaries are simply working under the radar, perhaps using one of their favorite tools: botnets. Botnets, typically run for profit, consist of thousands of compromised computers running malicious code under the control of an unseen botnet operator; a bot infection may occur from opening a poisoned email or visiting a poisoned Web page containing surreptitious malicious code.

This is why BotHunter was created. From the labs of SRI International, the Army Research Office and the National Science Foundation, BotHunter works to discover stealth botnet activity on the network. BotHunter attempts to uncover compromised machines by gathering information from numerous sensors around the world looking for the telltale signatures of bot activity.

BotHunter uses specialized malware packet sensors, which look for scanning, exploit patterns, code downloading, bot coordination communications and outbound attack launches. By comparing these known botnet traffic patterns to the traffic flows within the trusted network, it can alert users when it detects suspicious botnet activity.

BotHunter differs from traditional IDS in its methods of detecting activity through "infection-dialog-based" activity: the command and control communication patterns used by botnets. Although nothing triggers the antivirus, BotHunter notices when a computer is attempting to contact several email servers and UDP traffic is going to several computers, such as those known to belong to a Russian criminal network that is being monitored by BotHunter. BotHunter...



uses this information to assign a score to events; the display console logs the forensic evidence, listing the infected machines, botnet control servers, malicious code-download servers and details about outbound scanning that newly infected machines may be performing.

BotHunter is free, but closed source. It is available for Windows, Linux and Mac platforms. During installation, BotHunter requires an input of the IP address range of the trusted network, SMPT servers and DNS servers. Once installed, BotHunter examines traffic that traverses the NIC card you specify. Mostly it listens passively, but from time to time BotHunter initiates outbound communications to automated threat services run by SRI. BotHunter also pulls updates for the botnet command and control blacklist, malware DNS list and new malware-detection rules. This allows BotHunter to maintain awareness of the latest botnet operator servers, malware-associated DNS lookups, known-bad server addresses and malware back-door control ports. BotHunter sends anonymous data associated with detected botnet activity, malware-download sites, exploit servers and detection patterns, but it does not report any IP addresses from your trusted network. SRI states that neither they nor their affiliates track your specific network information.

BotHunter is one of a few tools that can help discover operating botnets within a network. Its distributed intelligence model and the ease of operation should get it into more hands, which will aid its usefulness in detecting and combating the vast array of cybercriminal enterprises plaguing the Internet.

About the author:
Scott Sidel is an ISSO with Lockheed Martin.

Rate this Tip
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.




BROWSE BY TAG
Scott Sidel's Downloads,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   Network Intrusion Detection and Analysis,   Network Behavior Anomaly Detection (NBAD),   Enterprise Network Security,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Scott Sidel's Downloads
Review system event logs with Splunk
FISMA compliance made easier with OpenFISMA
Ophcrack: Password cracking made easy
Enigmail: Wrapping email in a digital security blanket
Secure file copying with WinSCP
FreeRADIUS: Acing a secure connection
Spiceworks: Free network monitoring and management with a little zest
VirusTotal: On-demand antivirus service scans malicious files
Shining a spotlight on rootkits
Closing the case on network firewall security with IPCop

Malware, Viruses, Trojans and Spyware
New Zeus spam poses as Social Security statements
Increase in Gumblar backdoors poses FTP credential problems
Hackers to sharpen malware, malicious software in 2010
iPhone worm Rickrolls jailbroken phones
Israeli Mossad add Trojan Horse to Syrian laptop
Schneier-Ranum Face-Off: Is antivirus dead?
Modern malware, stealthy botnets, adapt quickly, expert says
Computer worm infections up, scareware antivirus down, Microsoft says
Web-based attacks skyrocket, pirating sites surge, security firms say
Mini guide: How to remove and prevent Trojans, malware and spyware

Network Behavior Anomaly Detection (NBAD)
Trend Micro to acquire Third Brigade for virtualization, cloud security
Is centralized logging worth all the effort?
How helpful is the centralized logging of network flow data?
Can reputation services be applied to network security?
SIM and NBA product combination is powerful
Can network behavior anomaly detection (NBAD) products stop rootkits?
Sourcefire, Nmap deal to open vulnerability scanning
Sourcefire expands strategy in effort to leverage its network real estate
Combining NetFlow analysis with security information management systems
Security information management finally arrives, thanks to enhanced features

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
bot worm  (SearchSecurity.com)
directory traversal  (SearchSecurity.com)
government Trojan  (SearchSecurity.com)
Kraken  (SearchSecurity.com)
man in the browser  (SearchSecurity.com)
polymorphic malware  (SearchSecurity.com)
RAT (remote access Trojan)  (SearchSecurity.com)
RavMonE virus  (SearchSecurity.com)
RFID virus  (SearchSecurity.com)
Rock Phish  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



Research Solutions for Network Security, Access Control and Security Threats
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts