Problem solve Get help with specific problems with your technologies, process and projects.

What are the best bot detection tools?

Today, antimalware tools can detect hundreds of different bot variants using signature and heuristic techniques, but they aren't perfect. Ed Skoudis reveals some other options.

How does a bot show itself in a computer? Does it have a process, service or startup command that can easily be...

identified, or is it totally invisible? Is the best detection method similar to signature-based protection?

Bots have various artifacts that they leave on a computer. Nearly all of them have one or more processes that can be seen in Task Manager or in the output of the tasklist command. Some, but not all, use services that can be viewed in the services control panel. Some bots alter the startup settings so that they can launch themselves automatically when the system boots up or when a user logs on.

On a Windows XP, 2003 or Vista machine, you can check those autostart settings by going to Start => Run and typing 'msconfig.exe.' Since all of the bot families manifest themselves in different ways, though, there is no single bot attribute for which you can search. Also, if the bad guy installs a rootkit to conceal the bot, detection can be even more difficult.

I've written several articles on how to analyze a machine to see if malware has been installed, and those malware detection techniques certainly apply to bots as well. I don't want to reiterate those articles, but I'd like to point out an additional vector for bot detection and identification: a sniffer.

Several very good sniffers are available for free, including WinDUMP and Wireshark. These tools capture packets and display them to their users. Most bots have very distinctive network communication patterns, which a sniffer can observe. Ideally, you should install a sniffer on a separate machine, a computer that is different from the one that may be infected. You can then use a hub or a tap to monitor its communications to the Internet.

Even if you don't have a separate machine, you may be able to install the sniffer on the same box that you are analyzing. Most bots will let the sniffer run unimpeded, although some do hide traffic from a sniffer or even attack it as it is runs.

Once the sniffer is running, look for anomalies in the network traffic. The more primitive bots use Internet Relay Chat on TCP port 6667 for their command and control channel. Others use a barrage of UDP packets for control. Most legit UDP traffic on a machine will either be DNS queries and responses or streaming audio or video. Other DNS results could be a concern.

In addition to showing the ports and protocols that a machine uses to communicate, a sniffer will also show the IP addresses that a machine is contacting. Look up those addresses to see what systems are on the other side. You can use a whois identification client, which is built into most Linux/Unix/Mac OS X machines; it is also freely available for Windows in many forms. You can also rely on a public page that does whois lookups. Type in the IP address, and that site will look up the associated organization. If your machine has taken up a sudden interest in a computer in some faraway country, one that you don't think it should be talking to, you may have a bot.

As for the best detection mechanism, you are correct. Today, antivirus and antispyware tools can detect hundreds of different bot variants using signature and heuristic techniques, but they aren't perfect, especially since new bot software is developed and released every week. That's why I offer the sniffer approach above, in the event that the bot dodges an antivirus and antispyware tool.

More information:

  • Malware creators have upped the ante with peer-to-peer (P2P) botnets. Learn how to detect them.
  • Thinking about logging into a botnet control channel? Not so fast, says Ed Skoudis.
This was last published in October 2007

Dig Deeper on Real-time network monitoring and forensics