Technology research firm SRI International released a free software tool on Monday to help system administrators detect botnet activity within their network.
The program, called BotHunter, monitors the inside of a network to detect the two-way communications flows that are common between computers compromised by bot software and the command-and-control (C&C) server that is used to send commands to each infected machine. The software keeps tabs on the suspicious requests and responses — which SRI International calls dialogs — and compares them with patterns of known bot software, said Phillip Porras, security program director for SRI International.
"You typically — with an intrusion detection system — put the system at your egress point and see who's trying to break into your network," Porras said. "BotHunter kind of flips that on its head. You put it behind your firewall and it listens to everything to see if any of the communications resembles known botnet activity."
Bot software has become the largest issue for many companies. In its recent Worldwide Infrastructure Security Report, security firm Arbor Networks found that more than a quarter of respondents — the largest proportion — rated botnets as the most serious threat. The recent takedown of McColo, an Internet service provider used to host the command-and-control servers for many botnets, resulted in more than half a million compromised computers being disconnected from their bot masters.
In September, a report found that compromised computers in the United States were responsible for more than 20.6 million attempted attacks, while China came in second place with 7.7 million attacks.
SRI International's BotHunter software can be downloaded from the BotHunter Web site. There are versions for Linux, FreeBSD, Windows and Mac OS X.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos