Problem solve Get help with specific problems with your technologies, process and projects.

Use BotHunter for botnet detection

Got bots? Hopefully not, but how can you be sure? Learn about botnet detection with the help of a free tool, BotHunter. This can keep your computers from participating in a botnet and subsequently leaking data.

The biggest threat is usually the one you don't see. If the IDS is quiet and all seems well, maybe the smartest...

adversaries are simply working under the radar, perhaps using one of their favorite tools: botnets. Botnets, typically run for profit, consist of thousands of compromised computers running malicious code under the control of an unseen botnet operator; a bot infection may occur from opening a poisoned email or visiting a poisoned Web page containing surreptitious malicious code.

This is why BotHunter was created. From the labs of SRI International, the Army Research Office and the National Science Foundation, BotHunter works to discover stealth botnet activity on the network. BotHunter attempts to uncover compromised machines by gathering information from numerous sensors around the world looking for the telltale signatures of bot activity.

Don't miss need-to-know info!

BotHunter uses specialized malware packet sensors, which look for scanning, exploit patterns, code downloading, bot coordination communications and outbound attack launches. By comparing these known botnet traffic patterns to the traffic flows within the trusted network, it can alert users when it detects suspicious botnet activity.

BotHunter differs from traditional IDS in its methods of detecting activity through "infection-dialog-based" activity: the command and control communication patterns used by botnets. Although nothing triggers the antivirus, BotHunter notices when a computer is attempting to contact several email servers and UDP traffic is going to several computers, such as those known to belong to a Russian criminal network that is being monitored by BotHunter. BotHunter uses this information to assign a score to events; the display console logs the forensic evidence, listing the infected machines, botnet control servers, malicious code-download servers and details about outbound scanning that newly infected machines may be performing.

BotHunter is free, but closed source. It is available for Windows, Linux and Mac platforms. During installation, BotHunter requires an input of the IP address range of the trusted network, SMPT servers and DNS servers. Once installed, BotHunter examines traffic that traverses the NIC card you specify. Mostly it listens passively, but from time to time BotHunter initiates outbound communications to automated threat services run by SRI. BotHunter also pulls updates for the botnet command and control blacklist, malware DNS list and new malware-detection rules. This allows BotHunter to maintain awareness of the latest botnet operator servers, malware-associated DNS lookups, known-bad server addresses and malware back-door control ports. BotHunter sends anonymous data associated with detected botnet activity, malware-download sites, exploit servers and detection patterns, but it does not report any IP addresses from your trusted network. SRI states that neither they nor their affiliates track your specific network information.

BotHunter is one of a few tools that can help discover operating botnets within a network. Its distributed intelligence model and the ease of operation should get it into more hands, which will aid its usefulness in detecting and combating the vast array of cybercriminal enterprises plaguing the Internet.

About the author:
Scott Sidel is an ISSO with Lockheed Martin.

This was last published in December 2008

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.