BotHunter is an application designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model.  BotHunter consists of a correlation engine that is driven by a customized and augmented release of Snort version 2, which tracks the underlying actions that occur during the  malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication.  The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection.  When a sequence of evidence is found to match BotHunter's infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.  We refer to this analytical strategy of matching the dialog flows between internal assets and the broader Internet as  dialog-based correlation (patent pending).  

BotHunter is available free for both experimental operational use and to help stimulate research in understanding the life cycle of malware infections.

 
Distinguishing a successful malware infection from the vantage point of the network egress position requires a command of the two-way dialog flow that occurs between a network's internal hosts and the Internet. While many malware infections start with an initial external-to-internal infection, there are a wide range of options that malware may use to infect a host, including indirect host infections through email, direct exploit-based infection, or drive-by infections that are launched from malicious network servers.  Furthermore, with the growth in popularity and capability of mobile laptops, direct infection of an internal asset need not necessarily take place behind a well administered network. Malware may inject itself into a host opportunistically from any Internet access point the hosts happens to associate with, or may be executed voluntarily by a victim who inadvertently accesses a Trojan binary, multimedia file, or other infected transmission source. Regardless of how malware enters a host, once established inside the network perimeter the challenge remains to identify the infected machine and remove it from service as quickly as possible.

Capturing the full scope of a malware infection requires an ability to follow a dialog that can span several participants, including the victim host, the infection agent, the source of binary updates, the command and control server, and eventually the propagation targets of the newly infected victim.  Traditional network intrusion detection systems (IDSs) typically focus on inward packet flows for signs of malicious point-to-point intrusion attempts.  IDSs have the capacity to detect initial incoming intrusion attempts, and the prolific frequency with which they produce such alarms in operational networks is well documented.  However, being able to distinguish a successful local host infection from the daily myriad of scans and intrusion attempts is as critical a task as any facet of network defense.

BotHunter models an infection sequence as a composition of participants and a loosely ordered sequence of network dialog exchanges:

Infection I = <A, V, E, C, P, V', {D}>

where A = attacker, V = victim, E = egg download location, C = C&C server, P = peer to peer coordination points, and V' = the victim's next propagation targets.  {D} represents a set of dialog sequences composed of bidirectional flows  that cross the egress boundary. 

BotHunter's current infection dialog set {D} provides the following detection coverage  for your network:

E1: Inbound malware port focused scans

E2: In and Outbound Exploit Detection
        Client-side infection attempts (Web)
        Direct Microsoft Exploit Coverage, including
           - RPC exploits
           - Netbios attacks
           - OP/Shell code attack via overflow
        Special Port Exploits
        High Application Port Exploits
        Inbound  Only: Browser specific attacks 
        Outbound Only: Bad outbound email from non-SMTP
        Outbound Only: 
           - Moderate malware-focused outbound scan detection
           - Prolific non-malware-focused outbound scan detection

E3: Forced Download / Illegal Software Install Detection:
        Malware/Trojan-initiated download request
        Classic network stream binary spotting
        Malware FTP Comms
        Web-based spyware Infection Download / Install

E4: C&C Detection
        Web based spyware phone home / periodic checkin
        Web based malware install success reports
        Inbound spyware command detection (flow established)
        Web-based ADWARE phone home
        BotNet C&C  login/dialog /command recognition
        Trojan horse periodic checkin (primarily via web ports)
        Application port checkin/install success reports
        DNS-based call-backs
        SMTP callbacks (from non-SMTP hosts)
        Statefull IRC botnet C&C detection
        Russian Business Network (RBN) address

E5/E6: Insider Attack / Malware  Preparation Activity
        Spambot MX record search via DNS
        DNS malware associated query

E7  Peer to Peer Rules
        BotNet P2P protocol activity

E8: Malware Infection Declaration Rules:
        Known botnet C&C IP address  (specific address)
        Prolific malware-focused outbound scan detection

BotHunter's malware propagation model is primarily driven by an assessment of outward-bound communication flows that are indicative of behavior associated with malware coordination.  Where possible, we seek to associate such outbound communication patterns with observed inbound intrusion activity.  However, this latter activity is not a requirement for infection declaration.   Neither are incoming scans and exploit alarms sufficient to declare a successful malware infection, as we assume that a constant stream of scan and exploit signals will be observed from the egress monitor.

Figure 1 illustrates BotHunter's malware infection dialog model used for assessing bidirectional flows across the network boundary. BotHunter incorporate initial scan detection and exploit usage, including web-based client side infections.  Host infection is then followed by malware binary downloading, installation, and coordination (in the case of botnets, spyware, and adware infections).  Next, BotHunter's infection dialog model proceeds with infection propagation, which includes activity such as scanning, exploit usage, spam propagation, and attack preparation.  Finally, BotHunter includes the ability to recognize malware infections when systems are observed attempting to connect to known C&C servers or other address space highly associated with malicious software control (e.g., Russian Business Network address space).



Figure 1 is not intended to provide a strict order of events, but rather captures well established infection dialog patterns observed among a wide variety of malware strains.  We assume that bot dialog sequence analysis must be robust to the absence of some dialog events, must comprehend multiple contributing candidates for each of the various dialog phases, and must not require strict sequencing in the order in which outbound dialog is conducted.  BotHunter employs a weighted event threshold system, which captures the minimum necessary and sufficient sparse sequences of events under which an infection declaration can be triggered.   BotHunter infection profiles include an overall infection confidence score, while will range from 0.8 to 3.8.  The higher the score, the greater the dialog evidence trail that was used to produce the infection profile.

BotHunter is capable of declaring a host infected when either of three dialog sequence combinations are observed:

The BotHunter team gratefully acknowledges those increasingly fewer U.S. funding agencies that are actively supporting new research in information security.    We especially thank Cliff Wang at ARO for his support of the Cyber-TA project and  BotHunter.