While traditional security software typically only inspects incoming communication and downloads for malware, a free security tool. BotHunter instead correlates the two-way communication between vulnerable computers and hackers. BotHunter “flips the security paradigm” by focusing on the egress, says Phillip Porras, a computer security expert at SRI International and one of its creators.
Botnets are shadowy networks of compromised computers. Typically the PC gets infected with malware from e-mail or from visiting a compromised Web site. The infection may linger for a while before it calls out to a command and control server which may download malware, or enlist the PC in a spam campaign or denial of service attack.
With BotHunter, a network administrator can see which system on a network is communicating with an unknown external server and quickly act to stop it. BotHunter produces a report that lists all the relevant events and event sources that lead it to its conclusion of an infection. There’s a score on the likelihood the match is malware.
BotHunter—an application that grew out of SRI International’s Cyber-Threat Analytics project — differs from traditional Intrusion Detection Systems by keeping a log of the data exchanges that typically occur when a PC is infected with malware. Simply specify the network you want to monitor, and BotHunter then listens passively, logging anonymous traffic, and occasionally sending an outbound messages to a database of adware, spyware, viruses and worms maintained by SRI International. Currently the project is collecting 10,000 new malware data exchanges each day, according to Porras. He said BotHunter started recognizing Conflicker data exchange patterns back in November 2008, well before that threat was popularized by other security vendors.
Porras says both the threat database and BotHunter analysis engines are constantly checked for accuracy. This is done by infecting SRI honeynets with known malware to see whether or not BotHunter accurately detects it.
BotHunter, which is free but not open source, works with Unix, Linux, Max OS, and Windows XP (even on standalone desktop PCs). A Windows Vista version is expected soon. BotHunter is not intended to be a replacement for traditional security (firewall and antivirus), says Porras, but a complement. He says there have been 110,000 downloads worldwide since its release.
Porras admits there are a few Black Hats, even some White Hats, discussing online various ways to circumvent BotHunter. For now, however, BotHunter remains a useful way to identify and therefore mitigate botware on your network or home system.
Robert Vamosi is a freelance computer security writer specializing in covering criminal hackers and malware threats.