At the Usenix Security Symposium in Boston Thursday morning, researcher Guofei Gu from the Georgia Institute of Technology unveiled a new application IT security pros can use to blunt the threat of bot infections.
BotHunter is outlined in a paper Gu wrote with fellow Georgia Tech researcher Wenke Lee, and Phillip Porras, Vinod Yegneswaran and Martin Fong from SRI International’s computer science lab.
The researchers say in their paper that BotHunter tracks “the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model.”
The paper goes on to say that BotHunter consists of a correlation engine driven by three malware-focused network packet sensors, each charged with detecting specific stages of the malware infection process, including inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, and outbound attack propagation.
The correlator ties together the dialog trail of inbound intrusion alarms with outbound communication patterns that are highly indicative of a successful local host infection, they say, adding, “When a sequence of evidence is found to match BotHunter’s infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.”
BotHunter is available both for operational use and to help stimulate research in understanding the lifecycle of malware infections, Gu says.
Marcus Sachs of the SANS Internet Storm Center (ISC) wrote about BotHunter on the ISC Web site last week, calling it “a pretty cool new tool that will quickly locate bot traffic inside a network.”
Sachs noted that a government/military version of it has been in use successfully for about a month. “BotHunter introduces a new kind of passive network perimeter monitoring scheme, designed to recognize the intrusion and coordination dialog that occurs during a successful malware infection,” he wrote. “It employs a novel dialog-based correlation engine (patent pending), which recognizes the communication patterns of malware-infected computers within your network perimeter.”
“They are detecting dozens of new infections each day and this site is very helpful in understanding the behavior of the received malware,” he wrote. “Also, it generates a nice list of potentially evil IP addresses and DNS queries.”