Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

US Army Research Office’s BotHunter ( Malware detector)
Antispyware ^ | Wednesday, November 26th, 2008 at 12:53 pm | staff

Posted on 12/08/2008 9:47:54 AM PST by Ernest_at_the_Beach

When malware spammers get out of control, what’s the best thing to do?

Call in the US Army, perhaps?

A free malware-detector called BotHunter, sponsored by the US Army Research Office, “works so well that it has even found infected Mac computers, much to the embarrassment of the Mac owners who, of course, swear that their computers cannot be infected with bots,” SC Magazine quotes Marcus Sachs, director at SANS Internet Storm Center, as saying.

And there have been 35,000 downloads so far, the story has Phillip Porras, program director of enterprise and infrastructure security at SRI International, a research and technology organization, and lead developer of the BotHunter project, saying.

“It works so well that it has even found infected Mac computers, much to the embarrassment of the Mac owners who, of course, swear that their computers cannot be infected with bots,” Marcus Sachs, director at SANS Internet Storm Center, told SCMagazineUS.com Tuesday in an email.

BotHunter was funded through a Cyber-Threat Analytics research grant from the US Army Research Office, says SC Magazine, adding:

“It reportedly helps Windows, Mac and Linux users detect malware-infected hosts on their networks by tracking interactions that typically occur when a PC is infected with malware, Porras said. The tool will generate an infection profile with all the forensic evidence that was gathered.

“The infection profile report will then allow users to determine which machines on the network are acting like they are infected. The tool anonymizes infection profiles and passes them back to SRI, where they go into a repository that is used to help generate new threat intelligence.”



TOPICS: Computers/Internet
KEYWORDS: bothunter; botnet; malware
Navigation: use the links below to view more comments.
first 1-5051-81 next last

1 posted on 12/08/2008 9:47:55 AM PST by Ernest_at_the_Beach
[ Post Reply | Private Reply | View Replies]

To: ShadowAce
I just stumbled into this from a note on Today's DistroWatch Weekly....know nothing about other that what I read...will add some links...as I find them...

DistroWatch Weekly

Scroll to comments and #17.

**********************************EXCERPT*************************

17BotHunter (by Michael Dotson on 2008-12-08 13:54:14 GMT from United States)
This is a side issue to todays Distrowatch. I recently came across a story in the NY Times on-line web-page about a program callled BotHunter that works across all platforms, including linux. The obvious purpose is to hunt down malware. A live CD version based on Ubuntu is available as well as a tar.gz package. Perhaps I am just behind the curve, but I have never heard of this program until today and was wondering if anyone has had experience with it, and if so how well it works? The address is www.bothunter.net, and for the live cd as follows

: # * Live CD Distribution v1.0.2 (Official Release) - 17 November 2008
# BotHunter-LiveCD.v1.0.2.torrent [bittorrent only - 665.3MBs]
# (torrent file MD5 = 8617b7ca4c996a4b43cf42589c06beff)
# (ISO Image MD5 = 137c96d67d0f8605042a8cb92a3bf8dc)
# Live-CD: this is a self-booting ISO image of BotHunter operating on Ubuntu
Linux

2 posted on 12/08/2008 9:52:44 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
Website:

www.bothunter.net...news

3 posted on 12/08/2008 9:54:34 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 2 | View Replies]

To: All; Swordmaker
Link to FR Thread on NY Times article:

Thieves Winning Online War, Maybe in Your PC

4 posted on 12/08/2008 9:57:37 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
ooh! SRI! Sounds... interesting.
5 posted on 12/08/2008 9:58:57 AM PST by CE2949BB (Fight.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; KoRn; Bloody Sam Roberts

ping!


6 posted on 12/08/2008 10:00:09 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
Free BotHunter - Download Link
7 posted on 12/08/2008 10:07:52 AM PST by Red_Devil 232 (VietVet - USMC All Ready On The Right? All Ready On The Left? All Ready On The Firing Line!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
Link:

BotHunter® Internet ReleasE
Software Distribution Page

8 posted on 12/08/2008 10:10:15 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

mark for later use - thanks!


9 posted on 12/08/2008 10:11:04 AM PST by MathDoc (War is Peace. Freedom is Slavery. Ignorance is Strength. Obama is Good.)
[ Post Reply | Private Reply | To 1 | View Replies]

BotHunter is a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter.  Using an advanced infection-dialog-based event correlation engine (patent pending), BotHunter represents the most in-depth network-based malware infection diagnosis system available today.

NEW: There has been a lot of great press on BotHunter recently:  See Latest Press.

Download Now

Your system should have a modern Intel Pentium-class or Motorola PowerPC processor, at least 1 GB RAM, and at least 1 Ethernet NIC/WIC (for network monitoring).



10 posted on 12/08/2008 10:11:48 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Ernest_at_the_Beach

Not sure about bot networks. But something strange is happening on an old e-mail account of mine. The e-mail in the in-box shows my old e-mail address as the source of the e-mail. In other words, I log in to my old xyz123@provider.com account, and there are e-mails in there from xyz123@provider.com that I know I didn’t send. Is there a way to determine whether or not that account has been hi-jacked?


11 posted on 12/08/2008 10:12:27 AM PST by IYAS9YAS (Hey Obama, why lawyer up when you can pony up? Show us your vault copy BC)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red_Devil 232

Thanks....


12 posted on 12/08/2008 10:12:50 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Ernest_at_the_Beach

Thanks Ern. I’ve already downloaded and will check it out tonight for home use. Looks cool.


13 posted on 12/08/2008 10:12:59 AM PST by Bloody Sam Roberts (Inspiration: The momentary cessation of stupidity.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Ernest_at_the_Beach

Ok, I admit I have vista. It says it works for XP, anyone try it out on this horrid vista? Will be buying a mac, never another microsoft system again.


14 posted on 12/08/2008 10:15:48 AM PST by momincombatboots (Not a journey for the feeble.)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Ernest_at_the_Beach

Hey, isn’t that how the machines took over the world in The Terminator? What hell hath the spammers unleashed on us now!


15 posted on 12/08/2008 10:15:51 AM PST by JrsyJack (We Shoot, We Vote, We're angry!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Thanks for posting.
Bookmarked.


16 posted on 12/08/2008 10:16:43 AM PST by Lancey Howard
[ Post Reply | Private Reply | To 1 | View Replies]

To: momincombatboots

I tried it on Vista, it reformatted my harddrive and told me to get XP back. Pretty smart software.


17 posted on 12/08/2008 10:17:00 AM PST by JrsyJack (We Shoot, We Vote, We're angry!)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Bloody Sam Roberts

Give us all some feedback...particularly if you are a Windows User....


18 posted on 12/08/2008 10:18:15 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 13 | View Replies]

To: JrsyJack

LOL.. I am scared to do it, but I want to. Vista is horrid!


19 posted on 12/08/2008 10:18:22 AM PST by momincombatboots (Not a journey for the feeble.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: JrsyJack; momincombatboots
ROFL....

Should have said get Linux!

No reason to buy new Hardware!

20 posted on 12/08/2008 10:20:01 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 17 | View Replies]

To: IYAS9YAS

...I’m no help....someone may be along shortly to give suggestions...


21 posted on 12/08/2008 10:21:16 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Ernest_at_the_Beach

Thanks!!

I hadn’t heard of this either. I’ll check it out.


22 posted on 12/08/2008 10:25:29 AM PST by KoRn
[ Post Reply | Private Reply | To 6 | View Replies]

To: KoRn

Give us some feedback when you can!


23 posted on 12/08/2008 10:29:05 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 22 | View Replies]

Bookmark


24 posted on 12/08/2008 10:31:05 AM PST by Joiseydude (Let the Hero, born of woman, crush the serpent with his heel,)
[ Post Reply | Private Reply | To 22 | View Replies]

To: Ernest_at_the_Beach

Will do. I’ll be traveling for business over the next few weeks but I’ll post what/when I can.


25 posted on 12/08/2008 10:34:47 AM PST by Bloody Sam Roberts (Inspiration: The momentary cessation of stupidity.)
[ Post Reply | Private Reply | To 18 | View Replies]

To: yankeedame; Snurple; Dr. Sivana; CarrotAndStick; Smogger; RightOnTheLeftCoast; bamahead; ...

Saw your posts on the Malware keyword list....looking for people that may have or might try this and give the community some feedback ...


26 posted on 12/08/2008 10:36:25 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
"Give us some feedback when you can!"

Will do. I'll get it running on a machine that's plugged into a span port on one of our more centralized switches. I'll also give it a try in our DMZ.

27 posted on 12/08/2008 10:42:20 AM PST by KoRn
[ Post Reply | Private Reply | To 23 | View Replies]

To: Ernest_at_the_Beach; All
Y'all realize the site this thread links to is a spyware site?

Just for grins, google Antispyware.com and then give yourself a swift kick...

“I have this antispyware.com comes up aout every five minutes how ... 7 posts - 6 authors - Last post: May 31, 2006
I have this antispyware.com comes up aout every five minutes how do I get rid of it?
answers.yahoo.com/question/index?qid=20060617223627AAFZCqp - 49k - Cached - Similar pages
Malware Advisor: Beware SpywareBot & antispyware.com!! Beware SpywareBot & antispyware.com!! Thanks to some info from the Sunbelt blog, this website, which was recently sold for $500000 has an app associated ...
temerc.blogspot.com/2006/12/beware-spywarebot-antispywarecom.html - 186k - Cached - Similar pages
Before You Buy That Anti-Spyware Program - Security Fix First of all, some of the best anti-spyware tools out there today are free. We review at least four of them in the video tutorials on computer security that ...
voices.washingtonpost.com/securityfix/2005/05/before_you_buy_that_”

28 posted on 12/08/2008 10:51:30 AM PST by Old Student (We have a name for the people who think indiscriminate killing is fine. They're called "The Bad Guys)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Old Student

Oh really....just damn!


29 posted on 12/08/2008 10:56:53 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Old Student

LOL!


30 posted on 12/08/2008 10:58:20 AM PST by SIDENET (Hubba Hubba...)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Old Student
Well we need to sort this out....I have my grandaughter in at the moment to help with cleaning...so I need to break out for awhile!

Did find this.:

************************

Antispyware.com pop ups Major Geeks

31 posted on 12/08/2008 11:01:56 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Ernest_at_the_Beach
“Oh really....just damn!”

If it helps any, BotHunter is apparently real, but the reference I looked at said it is Linux only.

32 posted on 12/08/2008 11:02:46 AM PST by Old Student (We have a name for the people who think indiscriminate killing is fine. They're called "The Bad Guys)
[ Post Reply | Private Reply | To 29 | View Replies]

To: Old Student; SIDENET; ShadowAce; KoRn; Bloody Sam Roberts

Well,...I first saw the note at Distrowatchweekly and then went googling and found the article at Antispyware...I think the links to Bothunter are legit....


33 posted on 12/08/2008 11:05:33 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 28 | View Replies]

To: Old Student
I do know for a fact antispyware.com is a spyware site, had to clean it off my wife's computer several weeks ago. PITA, I tell you! Google “remove antispyware.com”, and I think that will get you to several sites that detail the process.

I am using McAfee AV these days, on my father-in-law's recommendation. He's an engineer and programmer, and although I don't much like him, I respect h### out of his recommendations, and McAfee warns you of troublesome websites. Like this one.

34 posted on 12/08/2008 11:06:49 AM PST by Old Student (We have a name for the people who think indiscriminate killing is fine. They're called "The Bad Guys)
[ Post Reply | Private Reply | To 32 | View Replies]

To: rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

35 posted on 12/08/2008 11:09:35 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SIDENET

“LOL!”

As they say, “Life is a beach, and then you get sand in your shorts...”

;)


36 posted on 12/08/2008 11:10:56 AM PST by Old Student (We have a name for the people who think indiscriminate killing is fine. They're called "The Bad Guys)
[ Post Reply | Private Reply | To 30 | View Replies]

To: Old Student

I think I saw a reference to a Windows version....


37 posted on 12/08/2008 11:15:00 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 32 | View Replies]

To: Ernest_at_the_Beach

Re: bots on Macs

I am very skeptical about the claims of finding ‘bots on Macs. If this were true we would have heard of it before. Developing a major app like this with so many cross platform and cross processor ( both Intel AND PowerPC?) for simutaneous release is not an easy task. I cannot believe that these Mac spambots have somehow been overlooked by Secunia, Symantec, et al. It sounds like FUD to me.

I’m on my iPhone right now but I’ll ping the Mac list when I get home later today.


38 posted on 12/08/2008 11:24:32 AM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
# * Windows XP Distribution v1.0.2 (Official Release) - 14 November 2008 # BotHunter-Win32-v1.0.2.exe, (MD5 = 30aa9d81bab1709be2b61e428461666b) # INSTALLATION ADVICE FOR WINDOWS USERS: Click Here # Download from Mirror Sites: [SRI], [EmergingThreats], [DShield] # Windows XP: this self-installing Win32 executable will install all necessary supporting packagesErnest_at_the_Beach - What about Vista? Can I download the XP software?
39 posted on 12/08/2008 11:37:47 AM PST by GOPJ (Perverse incentives birth nasty unintended consequences.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Ernest_at_the_Beach
# * Windows XP Distribution v1.0.2 (Official Release) - 14 November 2008 # BotHunter-Win32-v1.0.2.exe, (MD5 = 30aa9d81bab1709be2b61e428461666b) # INSTALLATION ADVICE FOR WINDOWS USERS: Click Here # Download from Mirror Sites: [SRI], [EmergingThreats], [DShield] # Windows XP: this self-installing Win32 executable will install all necessary supporting packages

Ernest_at_the_Beach - What about Vista? Can I download the XP software?

40 posted on 12/08/2008 11:38:10 AM PST by GOPJ (Perverse incentives birth nasty unintended consequences.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Ernest_at_the_Beach

Can you call in a moderator for those people who don’t read the whole thread before downloading? I recognized your name and went to the site without hesitation...


41 posted on 12/08/2008 11:44:25 AM PST by GOPJ (Perverse incentives birth nasty unintended consequences.)
[ Post Reply | Private Reply | To 29 | View Replies]

To: IYAS9YAS
"Not sure about bot networks. But something strange is happening on an old e-mail account of mine. The e-mail in the in-box shows my old e-mail address as the source of the e-mail. In other words, I log in to my old xyz123@provider.com account, and there are e-mails in there from xyz123@provider.com that I know I didn’t send. Is there a way to determine whether or not that account has been hi-jacked?"

Common viral behavior. It simply means that someone with whom you've corresponded in the past and who has your email address in their address-book has been infected. Their machine is churning out spam emails "from" people in their address book. This cloaks the origin of the spam.
42 posted on 12/08/2008 11:49:33 AM PST by RightOnTheLeftCoast ([In the primaries, vote "FOR". In the general, vote "AGAINST". ...See? Easy.])
[ Post Reply | Private Reply | To 11 | View Replies]

To: IYAS9YAS
The e-mail in the in-box shows my old e-mail address as the source of the e-mail.

That just means that your email address fell into the hands of the spammers, and they're forging your address as the source. That way, when people try to reply to their spam or report the spammer, they are directed to YOU instead.

It doesn't require them to have any control over your email account, just your authentic address.

I believe this practice alone should result in felony convictions and heavy penalties for spammers.

43 posted on 12/08/2008 11:54:45 AM PST by TChris (So many useful idiots...)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Ernest_at_the_Beach
"Saw your posts on the Malware keyword list....looking for people that may have or might try this and give the community some feedback ..."

Will check it out with some security folks I know and report back. Can't say I'm terribly pleased with the notion of putting government software on my computer or LAN, especially with Obama and his power-lusting droids taking power. I spent the Clinton years feeling quite tinfoil-hattish, and for good reason: Magic Lantern, Carnivore, Know They Customer, Asset Forfeiture, Waco, Elian, etc etc... quite the spectrum of uber-statist initiatives, acts and policies. Never quite lost the feeling under Bush, and that's probably a good thing. Watching the ruthless demagog Obama messianize his way to power, it's growing stronger again now.

Anyone else have similar hesitations?
44 posted on 12/08/2008 11:54:53 AM PST by RightOnTheLeftCoast ([In the primaries, vote "FOR". In the general, vote "AGAINST". ...See? Easy.])
[ Post Reply | Private Reply | To 26 | View Replies]

To: RightOnTheLeftCoast
Common viral behavior. It simply means that someone with whom you've corresponded in the past and who has your email address in their address-book has been infected. Their machine is churning out spam emails "from" people in their address book. This cloaks the origin of the spam.

Thanks. Is there a way to determine the actual origin of these spam mails without turning my account in as the spamming e-mail account (report as junk, etc...)? Also, is there anything I can look at on my machine to determine whether or not it's been corrupted?

I had a trojan downloader try to install stuff on my computer last week, but managed to successfully ward it off. Zone Alarm was no help here. I clicked on a link in a Jeep forum that was supposedly to a parts supplier. Things just started down-loading.

Zone Alarm ignored it, I had to stop everything. Ran spy-bot search and destroy, zone alarm anti-virus/anti-spyware and will run ad-aware tonight. Spy-Bot Search and Destroy found the trojan and dealt with it. I'm just surprised Zone Alarm didn't spike it.

Also, is it better to run these anti-malware programs in "Safe Mode"? If so, why?

45 posted on 12/08/2008 12:01:56 PM PST by IYAS9YAS (Hey Obama, why lawyer up when you can pony up? Show us your vault copy BC)
[ Post Reply | Private Reply | To 42 | View Replies]

To: Ernest_at_the_Beach

“I think I saw a reference to a Windows version....”

Yep, you’re right. Googled it, and found this. The windows version is down the page a bit...

Enjoy!

http://www.bothunter.net/


46 posted on 12/08/2008 12:02:11 PM PST by Old Student (We have a name for the people who think indiscriminate killing is fine. They're called "The Bad Guys)
[ Post Reply | Private Reply | To 37 | View Replies]

To: Gondring; jan in Colorado

Ping.


47 posted on 12/08/2008 12:09:38 PM PST by fanfan (Update on Constitutional Crisis in Canada.....Click user name)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Gondring; jan in Colorado

Wait...don’t click!


48 posted on 12/08/2008 12:13:04 PM PST by fanfan (Update on Constitutional Crisis in Canada.....Click user name)
[ Post Reply | Private Reply | To 47 | View Replies]

To: IYAS9YAS

A common spam tactic is to use the to address to forge a from address too. They might also make up names @provider.com to make it look like they’re safe.

Nothing you can do at the client end to keep the spam from getting to your client, but see if your provider can put up Spam Assassin on the server.


49 posted on 12/08/2008 12:15:24 PM PST by antiRepublicrat
[ Post Reply | Private Reply | To 11 | View Replies]

To: GOPJ; Old Student

See link at #46...not sure if there are different versions for Vista and XP.


50 posted on 12/08/2008 12:15:52 PM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)
[ Post Reply | Private Reply | To 40 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-81 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson