BotHunter: Another Useful Linux Tool

BotHunter is a passive traffic monitoring system that can locate bot activity on your network, but you need Linux to use it. Nevertheless, it'll help protect your Windows-based network against bot infiltration.

The tool, which was recently released to the public, was developed by the Cyber-Threat Analytics (Cyber-TA) Project. Extensive details about BotHunter were presented at the 16th annual USENIX Security Symposium, which took place August 6-10. The white paper prepared for the symposium is available online and describes the technology used by the tool.

According to the white paper, BotHunter tracks communication between internal network devices and systems external to the local network. The data exchanges are compared to a state-based infection model that can detect a malware infection process and identify both the target and the source of the attack.

Under the hood, BotHunter uses Snort along with custom malware-focused rule sets. Added to Snort are two custom plug-ins called SLADE and SCADE that were developed especially for BotHunter. SLADE performs payload analysis, and SCADE performs port scan analyses of inbound and outbound traffic.

It might sound somewhat simple on the surface, but it's actually complex and quite effective. The BotHunter developers, Phillip Porras of SRI International and Wenke Lee of Georgia Institute of Technology, established a honeynet that uses BotHunter. The developers wrote that "Over a 3-week period between March and April 2007, we analyzed a total of 2,019 successful Windows XP and Windows 2000 remote-exploit bot or worm infections." BotHunter detected 1,920 of those 2,019 infections, which is roughly a 95 percent success rate. Not bad, especially for a free tool!

A really slick feature of BotHunter is its integrated support for "large-scale privacy-preserving data sharing." The feature lets BotHunter operators send bot profiles to a central repository operated by Cyber-TA, which is then made available to all who provide BotHunter data and other researchers. The feature sends data by using Transport Layer Security (TLS) over a TOR (The Onion Router) network to keep reports reasonably anonymous and lets operators selectively obfuscate IP addresses and other sensitive information before they share their data.

As with many excellent security tools, BotHunter runs on Linux. If you're not familiar with Linux, know that it's not so hard to use, so consider building a system and learning the ins and outs. You'll find that the OS comes in very handy.

BotHunter requires Fedora, Debian, or SUSE Linux, plus Sun Microsystems' Java 2 Platform, Standard Edition (J2SE) 1.4.2 or later Java Runtime Environment (JRE), which is used to read alert streams from Snort. Of course, you'll also need a spunky system to run the platform, so be sure that you use a system with a fast CPU, fast hard drives, and plenty of RAM. You might also need other tools, such as VMware, depending on how you plan to implement a test platform.

You can download the BotHunter source code at the Cyber-TA Web site at the first URL below, and you can read the extensive white paper about BotHunter at the second URL below. The white paper explains exactly how the platform works and details the hardware that's running the honeynet that the development team is currently using to test BotHunter.

http://www.cyber-ta.org/releases/botHunter/index.html

http://www.cyber-ta.org/releases/botHunter/BotHunter-Usenix07.pdf