Skip to comments.US Army Research Office’s BotHunter ( Malware detector)
Posted on 12/08/2008 9:47:54 AM PST by Ernest_at_the_Beach
When malware spammers get out of control, whats the best thing to do?
Call in the US Army, perhaps?
A free malware-detector called BotHunter, sponsored by the US Army Research Office, works so well that it has even found infected Mac computers, much to the embarrassment of the Mac owners who, of course, swear that their computers cannot be infected with bots, SC Magazine quotes Marcus Sachs, director at SANS Internet Storm Center, as saying.
And there have been 35,000 downloads so far, the story has Phillip Porras, program director of enterprise and infrastructure security at SRI International, a research and technology organization, and lead developer of the BotHunter project, saying.
It works so well that it has even found infected Mac computers, much to the embarrassment of the Mac owners who, of course, swear that their computers cannot be infected with bots, Marcus Sachs, director at SANS Internet Storm Center, told SCMagazineUS.com Tuesday in an email.
BotHunter was funded through a Cyber-Threat Analytics research grant from the US Army Research Office, says SC Magazine, adding:
It reportedly helps Windows, Mac and Linux users detect malware-infected hosts on their networks by tracking interactions that typically occur when a PC is infected with malware, Porras said. The tool will generate an infection profile with all the forensic evidence that was gathered.
The infection profile report will then allow users to determine which machines on the network are acting like they are infected. The tool anonymizes infection profiles and passes them back to SRI, where they go into a repository that is used to help generate new threat intelligence.
Can you call in a moderator for those people who don’t read the whole thread before downloading? I recognized your name and went to the site without hesitation...
That just means that your email address fell into the hands of the spammers, and they're forging your address as the source. That way, when people try to reply to their spam or report the spammer, they are directed to YOU instead.
It doesn't require them to have any control over your email account, just your authentic address.
I believe this practice alone should result in felony convictions and heavy penalties for spammers.
Thanks. Is there a way to determine the actual origin of these spam mails without turning my account in as the spamming e-mail account (report as junk, etc...)? Also, is there anything I can look at on my machine to determine whether or not it's been corrupted?
I had a trojan downloader try to install stuff on my computer last week, but managed to successfully ward it off. Zone Alarm was no help here. I clicked on a link in a Jeep forum that was supposedly to a parts supplier. Things just started down-loading.
Zone Alarm ignored it, I had to stop everything. Ran spy-bot search and destroy, zone alarm anti-virus/anti-spyware and will run ad-aware tonight. Spy-Bot Search and Destroy found the trojan and dealt with it. I'm just surprised Zone Alarm didn't spike it.
Also, is it better to run these anti-malware programs in "Safe Mode"? If so, why?
“I think I saw a reference to a Windows version....”
Yep, you’re right. Googled it, and found this. The windows version is down the page a bit...
A common spam tactic is to use the to address to forge a from address too. They might also make up names @provider.com to make it look like they’re safe.
Nothing you can do at the client end to keep the spam from getting to your client, but see if your provider can put up Spam Assassin on the server.
See link at #46...not sure if there are different versions for Vista and XP.
ZoneAlarm is simply a firewall, and a good one. It prevents unauthorized intruders from getting to (or even seeing) your system. But by clicking on a link you opened the gate, and it respected that decision. That’s how firewalls work.
No system is any safer than the “wetware” sitting at the keyboard!
Yours is a good example of why Windows is so fraught with insecurities— all it takes is an innocent click of a seemingly safe link, and your whole system is put at risk. At least in *nix systems (including Mac OS X) the user account is usually cordoned off from the system. Although, some of the nifty little Linux-based netbooks and UMPCs like the Eee run the user as root, a very bad idea. With Windows’ sorry example, you’d think they would have learned.
For Windows users, SpyBot has my highest recommendation. You’re very smart to have and use it. It’s great against this sort of malware. Update and run it weekly, and don’t forget the inoculations. It’s free, too: http://www.safer-networking.org/index2.html
Running an anti-malware scan in “Safe Mode” isn’t a bad idea but isn’t necessary unless you have some sort of infestation that refuses all normal attempts at cleansing. That happened to my son’s old Win98 machine once; drove me nuts, and the machine was brought to its knees. In that case: Update SpyBot (since you’ll have no internet connection in Safe Mode), then reboot your computer in Safe Mode and run SpyBot again. It’ll be a lot slower in Safe Mode but will be able to cleanse everything. If it seems to stall, just leave it... it’s working. I’ve seen it “stall” for 20 minutes working on one of the *.lop bugs that was especially stubborn.
Incidentally, we have an eclectic mix of computers here. WinXP, Mac, Linux, even a Sun workstation. I use Linux for most of my personal computing, running it off a portable drive so I can travel with it. My wife has an XP laptop. My teenage sons now have Mac laptops. Now, my wife’s laptop has needed scanning and cleaning twice in the past two weeks despite having an array of antivirus and anti-malware utilities running and updating themselves on it continuously. Typically I need to do this every few months with this machine. By comparison, we have not had a single Mac “support incident” in more than four years, which equates to more than ten teenage-user-years... with NO antivirus or antimalware or firewall running on ‘em. Not a single issue. Not one. Back when the boys had Win98 machines, I’d have to grimly wipe the hard disks every couple of months due to contagion of some sort, and then reinstall everything. Never with the Mac. Not once.
I recently acquired a Macbook Pro of my own, and could not be more impressed. Just a gloriously stable, fast and usable machine, put together like fine jewelry. Recommended. If you don’t want to invest in new hardware, consider one of the better Linux installs, like http://www.pclinuxos.com or http://mandriva.com; there are plenty more, and all come with good software built-in. PCLinuxOS is especially friendly for those transiting from Windows, as it has Flash preloaded into its Firefox browser, etc., making for an especially familiar and intuitive experience.
In reference to post #28, can the Admin Moderator put a *warning* on this post, at the top!!!
I asked them if they could add something to the title...but to be correct....they are NOT the site to get the software we are talking about....see link at post #7.... for the download location.
I'm not sure about Linux. I guess I need to research it more. We have programs we have to use (Word, Excel) and all of my music files are a concern (most came from cd, but there are a lot from download). I would love to get into Linux buy am not that savvy. Not only that, but it has to be very easy to use for my wife. I also use MSN premium for e-mail as that it what came with my DSL service.
Thanks for the information!
OpenOffice under Linux can default to 2003 versions of Word,Excel etc, if they are not overly complex.
I run my entire music collection under Linux without any problems. Of course, I do not have any .wma files. They are all .mp3 or .ogg format.
My wife and kids all use the linux box I set up for them and they have no issues with it at all.
Some here are going to take a serious look at this ....
You dont get down off an elephant, you get down off a duck!
The same joke applies whenever somebody asks "How do you install anti-virus in Linux?". You dont install anti-virus in Linux, you install anti-virus in Windows.
Lately, when you try to tell people that they dont need to install anti-virus in Linux, they say "People tell me that, but I want it anyway".
So, let me explain why you dont need anti-virus in Linux, and to do this we have to start with an explanation of what a virus is.
A virus is a malicious computer program, written to perform some sort of criminal activity with your computer. This can include deleting your data, but these days viruses are much more subtle. They dont cause mindless destruction. They use your computer to illegally profit their writers. As such, they attempt to evade detection, because as soon as you detect them you would run an anti-virus scan and delete them! They also always set themselves to start up when the computer starts up, which is dependent on them gaining administrator access to your computer.
Once they have administrator access, they can evade detection until you run an anti-virus program that knows about them.
We all know that Windows programs dont run in Linux. A virus is simply a Windows program, so it doesnt run in Linux. This is because Linux programs use a different format to Windows programs - Windows programs use the EXE format, Linux programs use the ELF format. Even if Linux could understand EXE, it would be pointless because the programs would be trying to interact with Windows shared libraries or (in the case of viruses) the Windows internals directly, which of course are not present on Linux.
If you download a Windows trojan and double-click it on a Linux system, you get a "Cannot open file boobs.jpg.exe" message. Linux doesnt understand the EXE executable format, only the ELF executable format. If you install a program like Wine, that can understand the EXE format and also allow the use of Windows shared libraries, youll still find that viruses wont work. This is because the viruses try to gain access to the running instance of Windows, and of course there isnt one.
Or, if they are programmed more conventionally, they manage to install themselves into a system-wide area in what they think is your Windows installation, but is actually just a Wine installation in your home directory. The result is that the virus might keep running until you quit Wine or until you restart. If you restart and then run a Wine program, the virus still wont be run, because Wine doesnt perform a Windows startup sequence.
Anyone get it to work on an XP box? I'm running XP-Pro on mine.
Researchers at SRI International announced a free tool this week that can help organizations battle botnets by tracking down infected hosts in their network.
BotHunter monitors the two-way communication flows between compromised computers and external attackers and develops an evidence trail to identify botnet activity. The tool has a correlation engine that uses a customized version of Snort to track inbound scanning, outbound attack propagation and other activity that happens during the infection process.
The tool, which was first unveiled last year at the Usenix Security Symposium in Boston, now supports multiple operating systems and has new features, including a dynamic updating protocol, said Phillip Porras, enterprise and infrastructure security program developer at Menlo Park, Calif.-based SRI and lead developer of the BotHunter project.
So far, there have been about 35,000 downloads of BotHunter, he said.
In addition to Linux, the tool is supported on Windows XP, FreeBSD and Mac OS X. The dynamic updating protocol allows SRI to regularly push new command-and-control (C&C) rules and other detection rules to BotHunter deployments on a daily or weekly basis.
BotHunter also now has a graphical user interface to simplify management and the ability to see malware-related DNS queries, Porras said.
The tool, which is available for download, was funded through the Cyber-Threat Analytics research project from the U.S. Army Research Office.~ Marcia Savage
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.