US Army Research Office’s BotHunter ( Malware detector)

Antispyware ^ | Wednesday, November 26th, 2008 at 12:53 pm | staff

[SouthTexas]

About to try it, if I don’t come back....

[Swordmaker]

Very Questionable claim about Mac Spam Bots - PING!

Mac Security FUD Ping!

If you want on or off the Mac Ping List, Freepmail me.

[big'ol_freeper]

Ping

[Ernest_at_the_Beach]

Thanks for the feedback.....do you have a home network?

[Ernest_at_the_Beach]

There is a PDF that gets very detailed,...definitely a serious tool....may not be what a home user is equipped to work with....definitely non trivial...pdf file at :

[PDF] BotHunter: Detecting Malware Infection Through IDS-Driven Dialog ...

************************

Perhaps to run this.... one has to have a dedicated PC on the network that is to be watched...

[SouthTexas]

It really didn’t seem to do much, run XP, Trend Micro and Spybot.

No network either.

[SunkenCiv]

Here's an oldie, it came out back when there were some server hacks and failures, so they switched to Macs. :')

[Ernest_at_the_Beach]

Maybe you had nothing going on.... No infection....?.

Did it install for you?

[SouthTexas]

Maybe nothing was there, don’t know. Seemed to install easily enough, multiple changes required in Spybot, but that is to be expected when making changes.

Trend seems to do pretty good, but I have run Spybot for years, (Trend came with the computer).

One thing though, I don’t go to very many places I don’t trust. The exception being the grandkids, although they do pretty good job of policing wife. ;)

[Ernest_at_the_Beach]

See #69.

[GOPJ]

Researchers at SRI International announced a free tool this week that can help organizations battle botnets by tracking down infected hosts in their network. BotHunter monitors the two-way communication flows between compromised computers and external attackers and develops an evidence trail to identify botnet activity. The tool has a correlation engine that uses a customized version of Snort to track inbound scanning, outbound attack propagation and other activity that happens during the infection process.

So this is the correct site? Great. Thanks for the information.

[GOPJ]

My computer’s doing this little, “This object has been blocked.” stuff when I try to go to the mirror sites to download. I’ll try again tomorrow. Thanks for the link.

[Bloody Sam Roberts]

I'm not sure how you use this if you are running a single PC or multiple thru a router ...

Found these instructions Here via the linked article.
I haven't set this up yet but it looks as if single PC home use is do'able.
Other network setups are described there as well.

============================================== Here is some advice on answering the network configuration parameters.

1. For Home WinXP Users on a typical Cable, DSL, or modem.

Here is what to do if you are a single PC user attached directly, or via wireless access point, to your Internet provider's cable, DSL, or Modem.

1a. Enter the Network Mask of your Trusted Net

You may enter the IP address of your system as your trusted network mask.  Here is how to find your system's current IP address:

Click the Windows desktop Start Menu, Control Panel, Network Connections.   Find the local area connection that is "Connected". Double click the connected network icon.  Click the Support Tab.  Your IP address will be listed.

Use this IP address as your Trusted Network mask.  You do not need to specify this as an IP mask.

1b. Enter the IP address of any SMTP servers on the network.

Assuming you are a home user and use your mail server is provided by your Internet service provider (this is typical), you may leave this entry blank.

1c. Enter the IP address of any DNS servers on the network.

Assuming you are a home user whose DNS services are provided by your Internet service provider (this is typical), you may leave this entry blank.

1d. Select the Network Adapter to be used by Snort.

Click the Windows desktop Start Menu, Control Panel, Network Connections.   Find the local area connection that is "Connected". Double click the connected network icon.  Match the name of this "Connected" adapter to the network adapter in the scroll list prompt.

Typically, your Home PC should generate very few "Lines Parsed", or dialog alarms.   You may leave BotHunter running for several hours, to determine if your system is infected with malware. If so, BotHunter will produce an infection profile.  BotHunter may be run on your system periodically to retest whether your machine is infected.

[Ernest_at_the_Beach]

Excellent info....thanks.

[Ernest_at_the_Beach]

Another useful link:

BotHunter® Documents List

[SouthTexas]

Those instructions are what I used to install.

[Bikkuri]

Zone Alarm

Zone Alarm is more a pain than anything... Comodo FINALLY came out with a Vista64 version. not sure what version you're running, but they should have it: http://www.comodo.com/ (and it's free!)

[Old Student]

“Thanks for the feedback.....do you have a home network?”

Yes, I do. Linksys WRT54G wireless router, five XP & one Vista box, and a Palm TX, and two 4-port switches to distribute the network where I want it. Only the laptop and Palm go wireless into the network.

You're welcome for the feedback, and I thank you, as well. I figure if we just sit here and take potshots at each other, nothing gets better. If we help each other out, things do get better, and I think we need a lot of “getting better” in this country.

[KoRn]

"Give us some feedback when you can!

I've had it running for a little over 24 hours on a span port that's mirrored from the port where our perimeter firewall is plugged in that provids our primary connection to the internet. So far it hasn't found anything. I suppose that's a good thing, but makes for some boring testing. lol I might fire up a VM and do an intentional infection of some kind just to test it(famous last words I know).

I've had it running on a XP box with 2g of RAM, and it seems really stable with only 50megs of RAM used total on Snort and the bot hunter front end. Just for reference, I can fire up Ethereal(Wireshark) while connected to that mirrored port, and it will bring the system to a halt after a few minutes because the machine can't handle the load.

I'll report back when I have more information. I'll give it a run on a Linux machine in the next day or so.

[Ernest_at_the_Beach]

Thanks for letting us know...