BotHunter is the first, and still the best, network-based malware infection detection system out there. It tracks the two-way communication flows between your computer’s and the Internet, comparing your network traffic against an abstract model of malware communication patterns. Its goal is to catch bots and other coordination-centric malware infesting your network, and it is exceptionally effective.
BotHunter will help you catch malware infections that go regularly undetected by antivirus systems and completely ignored by traditional intrusion detection systems.
How does Bothunter work?
BotHunter models an infection sequence as a composition of participants and a loosely ordered sequence of network dialog exchanges:
Infection I = (A, V, E, C, P, V', {D})
where A = attacker, V = victim, E = egg download location, C = C&C server, P = peer-to-peer coordination points, and V’ = the victim’s next propagation targets. {D} represents a set of dialog sequences composed of bidirectional flows that cross the egress boundary.
BotHunter is capable of declaring a host infected when either of three dialog sequence combination’s is observed:
Condition 1: Evidence of a local host infection, and evidence of outward malware coordination or attack propagation, or
Condition 2: At least two distinct signs of outward bot coordination, attack propagation, or attacker preparation sequences are observed.
Condition 3: Evidence that a local host has attempted to establish communication with a confirmed malware control host or drop site.
Sample report (format is not neatly captured):
Victim IP, Max Score, Profiles, CCs, Events
192.168.1.8
1.9 VIEW 4 81.198.38.197 Country: Latvia (Lv), City: (Unknown City).
1:22375 {tcp} Inbound Attack: REGISTERED FREE BACKDOOR DoomJuice file upload attempt MAC_Dst: 00:30:48:30:03:AE; 3127<-59013
1:23272 {tcp} Inbound Attack: REGISTERED FREE BACKDOOR mydoom.a backdoor upload/execute attempt MAC_Dst: 00:30:48:30:03:AE; 3127<-59013
1:2000419 {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 3127<-59013
1:22375 (8) {tcp} Inbound Attack: REGISTERED FREE BACKDOOR DoomJuice file upload attempt MAC_Dst: 00:30:48:30:03:AE; 3127<-59013
1:23272 (9) {tcp} Inbound Attack: REGISTERED FREE BACKDOOR mydoom.a backdoor upload/execute attempt MAC_Dst: 00:30:48:30:03:AE; 3127<-59013
1:2000419 (9) {tcp} Egg Download: ET POLICY PE EXE or DLL Windows file download; 3127<-59013
1:3300007 {tcp} Egg Download: BotHunter Malware Windows executable (PE) sent from remote host; 3127<-59013
1:22000032 {tcp} Inbound Attack: ET EXPLOIT LSA exploit MAC_Dst: 00:30:48:30:03:AE; 445<-62288
1:22000033 {tcp} Inbound Attack: ET EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP) MAC_Dst: 00:30:48:30:03:AE; 445<-62288
It is a very useful tool for security administrators who have to manage a large network and find difficult to catch the culprit using precious bandwidth. We can easily track the machine with max score.
Operating systems supported:
Windows XP/Vista/7/2003 Server both 32-bit and 64-bit.
Fedora, Red Hat Enterprise Linux, Debian, Ubuntu, SUSE, and CentOS
Mac OS X - Tiger, Leopard, and Snow Leopard Mac OS 10.4-10.6
FreeBSD 7.2
Download BotHunter version 1.5 here
Searches leading to this post:malware detection, bothunter 1 5 download, how to find source of malware infection, BotHunter source code, bothunter download, how to use botHunter, windows infection detection system, bothunter mac 10 6, ET POLICY PE EXE or DLL Windows file download, online malware detection mac, bothunter 1 5, malware communication sample, malware infection detection, malware network detection techniques 2009, malware that attacks network intrusion detection systems, malware detection in networks, mwcollectd, network malware collect, network malware detection, bothunter download Mac OS
You must log in to post a comment.