[GLLUG] BotHunter

Stanley C. Mortel mortel at cyber-nos.com
Wed Aug 15 20:16:51 EDT 2007 

This is from the most recent Security Update mailing.  F.Y.I.


=== IN FOCUS: BotHunter: Another Useful Linux Tool =============
    by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

BotHunter is a passive traffic monitoring system that can locate bot
activity on your network, but you need Linux to use it. Nevertheless,
it'll help protect your Windows-based network against bot infiltration.

The tool, which was recently released to the public, was developed by
the Cyber-Threat Analytics (Cyber-TA) Project. Extensive details about
BotHunter were presented at the 16th annual USENIX Security Symposium,
which took place August 6-10. The white paper prepared for the
symposium is available online and describes the technology used by the
tool.

According to the white paper, BotHunter tracks communication between
internal network devices and systems external to the local network. The
data exchanges are compared to a state-based infection model that can
detect a malware infection process and identify both the target and the
source of the attack.

Under the hood, BotHunter uses Snort along with custom malware-focused
rule sets. Added to Snort are two custom plug-ins called SLADE and
SCADE that were developed especially for BotHunter. SLADE performs
payload analysis, and SCADE performs port scan analyses of inbound and
outbound traffic.

It might sound somewhat simple on the surface, but it's actually
complex and quite effective. The BotHunter developers, Phillip Porras
of SRI International and Wenke Lee of Georgia Institute of Technology,
established a honeynet that uses BotHunter. The developers wrote that
"Over a 3-week period between March and April 2007, we analyzed a total
of 2,019 successful Windows XP and Windows 2000 remote-exploit bot or
worm infections." BotHunter detected 1,920 of those 2,019 infections,
which is roughly a 95 percent success rate. Not bad, especially for a
free tool!

A really slick feature of BotHunter is its integrated support for
"large-scale privacy-preserving data sharing." The feature lets
BotHunter operators send bot profiles to a central repository operated
by Cyber-TA, which is then made available to all who provide BotHunter
data and other researchers. The feature sends data by using Transport
Layer Security (TLS) over a TOR (The Onion Router) network to keep
reports reasonably anonymous and lets operators selectively obfuscate
IP addresses and other sensitive information before they share their
data.

As with many excellent security tools, BotHunter runs on Linux. If
you're not familiar with Linux, know that it's not so hard to use, so
consider building a system and learning the ins and outs. You'll find
that the OS comes in very handy.

BotHunter requires Fedora, Debian, or SUSE Linux, plus Sun
Microsystems' Java 2 Platform, Standard Edition (J2SE) 1.4.2 or later
Java Runtime Environment (JRE), which is used to read alert streams
from Snort. Of course, you'll also need a spunky system to run the
platform, so be sure that you use a system with a fast CPU, fast hard
drives, and plenty of RAM. You might also need other tools, such as
VMware, depending on how you plan to implement a test platform.

You can download the BotHunter source code at the Cyber-TA Web site at
the first URL below, and you can read the extensive white paper about
BotHunter at the second URL below. The white paper explains exactly how
the platform works and details the hardware that's running the honeynet
that the development team is currently using to test BotHunter.
    http://list.windowsitpro.com/t?ctl=624C4:F38B084D4C41514A0B4BE2EB853F6CED
    http://list.windowsitpro.com/t?ctl=624BF:F38B084D4C41514A0B4BE2EB853F6CED


****************************
Stan Mortel
mortel at cyber-nos.com
****************************

More information about the linux-user mailing list