27 October 2009:  ABC News:  Hackers Tap Computers to Commit Crimes
How can I fight back if my computer is already part of a botnet?  Replace your security system or use more than one at a time. If you have antivirus protection, obviously it has let you down. Some experts estimate that even the best antivirus programs fail to detect 80 percent of malicious programs, simply because the crooks develop new ones every few minutes. So, you can increase your chances of rooting out the virus that led to the botnet by trying out multiple security software packages. Many are available for free on the Internet. Just be sure the ones you try are legitimate. Check out a site like Cnet.com for advice.  There are programs designed to find botnets. Trend Micro makes a program called RUBotted and SRI International offers BotHunter.

27 October 2009: PC World:    Is Your PC Bot-Infested?  Here's How to Tell
Proactive options are also available. BotHunter, a free program from SRI International, works with Unix, Linux, Mac OS, Windows XP, and Vista. Though designed for networks, it can also run on stand-alone desktops and laptops. BotHunter listens passively to Internet traffic through your machine and keeps a log of data exchanges that typically occur when a PC is infected with malware. Occasionally, to improve its definitions, BotHunter sends outbound messages to an SRI International database of adware, spyware, viruses, and worms. BotHunter first recognized Conficker data-exchange patterns back in November 2008, well before other security vendors picked up on the threat.

* 17 Feb 2009: PC World:  Monitor Botnet Threats Your Antivirus Can't See
While traditional security software typically only inspects incoming communication and downloads for malware, a free security tool. BotHunter instead correlates the two-way communication between vulnerable computers and hackers. BotHunter "flips the security paradigm" by focusing on the egress, says Phillip Porras, a computer security expert at SRI International and one of its creators.

* 22 Dec 2008: TechTarget.com: Use BotHunter for Botnet Detection
The biggest threat is usually the one you don't see. If the IDS is quiet and all seems well, maybe the smartest adversaries are simply working under the radar, perhaps using one of their favorite tools: botnets. Botnets, typically run for profit, consist of thousands of compromised computers running malicious code under the control of an unseen botnet operator; a bot infection may occur from opening a poisoned email or visiting a poisoned Web page containing surreptitious malicious code.   This is why BotHunter was created.

* 9 Dec 2008: USA Today Tech Blog: Slam Online Holiday Scams
This article reports that online bad guys are out in force this holiday season, looking to sneak on to your PC. They hope to gain control and pull your computer into a bot network that uses your computer to compromise other PCs, spread spam and carry out denial of service attacks. They also often steal sensitive data, allowing them to access your credit cards, online banking or stock trading accounts, and your company's databases. According to the article, Phil Porras at SRI International also deserves kudos for recently releasing BotHunter, a free software tool that helps system administrators detect bot network activity within their corporate networks.

* 5 Dec 2008: The New York Times:  Thieves Winning Online War
Internet security is broken, and nobody seems to know quite how to fix it. Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught...“To me it feels like job security,” said Phillip Porras, an SRI program director and the computer security expert who led the design of the company’s Bothunter program, available free at www.bothunter.net.

* 5 Dec 2008: The Tech Herald:  Bot Hunting with BotHunter
A new tool from SRI International will help home users and network administrators detect botnet activity on their home networks. The tool, BotHunter, is free and works on Windows, Mac, and Linux driven systems.

* 1 Dec 2008: Collection Technology:  Free Application from U.S. Army Helps Unearth Malware
There is a new downloadable malware-detection tool in town. And it’s free. BotHunter, sponsored by the U.S. Army Research Office and developed by research and technology organization SRI International, helps to discover bots, malicious programs that aim to make fraudulent use of computers. The tool was released last week. BotHunter is described as “a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter.” What sets it apart from other devices is it looks for malware activity in both incoming and outgoing data.

* Nov 2008: Information Week:  U.S. Army Goes Bot Hunting
Most people whose computers have been turned into bots and linked to a botnet have no idea that their machines have been commandeered by cybercriminals. Their PCs send spam, steal information, and participate in denial-of-service attacks without any obvious sign.  But new software, funded by a grant from the U.S. Army Research Office and developed by SRI International, promises to provide users with more insight into what their computers are doing.  
      Note: Kara Reeder posted a short blog about this article at
                IT BusinessEdge: A Bot Hunting We Will Go …

* Nov 2008: Federal News Radio:  Fighting Malicious Code: BotHunter Interview
A 14 minute interview over two segments, on Washington DC Talk Radio 1500 AM.    WTOP is the most listened to radio station in the Washington, D.C. metro area.     Phil Porras did an interview to discuss BotHunter on Tom Temin's show, Federal Security Spotlight.  The show ran on Thursday, December 4th.  (The interview: Segment1.mp3,  Segment2.mp3).

* Nov 2008: SC Magazine: New Free Tool Detects Malware on Networks
A new tool is being used within the U.S. government and the Department of Defense to fight malware on their networks.  The free, downloadable malware-detection tool, called BotHunter, was sponsored by the U.S. Army Research Office, and there have been 35,000 downloads so far, Phillip Porras, program director of enterprise and infrastructure security at SRI International, a research and technology organization, and lead developer of the BotHunter project, told SCMagazineUS.com Tuesday.

 * Nov 2008: PC World: Top 10 Wicked Cool Algorithms!
This article includes a round-up of interesting algorithms and looks at how they impact the community. Number nine on the list is blacklisting system architecture. According to the article, "Using blacklists to prevent spammers or other malware distributors is nothing new. But researchers at SRI International and SANS Institute want to take such lists a bit further. Their system produces customized blacklists for individuals who choose to contribute data to a centralized log-sharing infrastructure. The ranking scheme measures how closely related an attack source is to a contributor, using that attacker's history and the contributor's recent log production patterns. The researchers said their ultimate goal is to yield individualized blacklists that not only produce significantly higher hit rates, but that also incorporate source addresses that pose the greatest potential threat."

* Nov 2008: Security Focus:  BotHunter Aims to Find Bots for Free
Technology research firm SRI International released a free software tool on Monday to help system administrators detect botnet activity within their network. The program, called BotHunter, monitors the inside of a network to detect the two-way communications flows that are common between computers compromised by bot software and the command-and-control (C&C) server that is used to send commands to each infected machine. The software keeps tabs on the suspicious requests and responses — which SRI International calls dialogs — and compares them with patterns of known bot software, said Phillip Porras, security program director for SRI International.

* Nov 2008: Inquisitr.com:  U.S. Army in the Anti-Malware Biz - for Free
You know for all we as individuals complain about viruses, trojans and other such nasties imagine how it must be for government agencies where people don't care for the most part about what lands on their machines. This has proven to be enough of a problem I guess that the U.S. Army through its Research Office has gotten into fighting malware on its own instead of using off the shelf solutions.

* Nov 2008: TechTarget: Free Security Tool Helps Track down Bots
Researchers at SRI International announced a free tool this week that can help organizations battle botnets by tracking down infected hosts in their network . BotHunter monitors the two-way communication flows between compromised computers and external attackers and develops an evidence trail to identify botnet activity. The tool has a correlation engine that uses a customized version of Snort to track inbound scanning, outbound attack propagation and other activity that happens during the infection process.

* Nov 2008: Tech Republic: Highly Predictive Blacklists: What, How, & Caveats
General blacklisting is not always efficient.  To enable organizations to be more proactive, and minimize firewall processor allocation for blacklist filtering, SRI International and the SANS Institute have developed highly predictive blacklists (HPB), creating a blacklist unique to each participant.

* Nov 2008: Antispyware.com:  US Army Research Office's BotHunter
When malware spammers get out of control, what’s the best thing to do? Call in the US Army, perhaps? A free malware-detector called BotHunter, sponsored by the US Army Research Office, “works so well that it has even found infected Mac computers, much to the embarrassment of the Mac owners who, of course, swear that their computers cannot be infected with bots,” SC Magazine quotes Marcus Sachs, director at SANS Internet Storm Center, as saying.

* Nov 2008: IEEE Computer Magazine: New Blacklisting Technique Improves Network Security.  Linda Dailey Paulson. PDF available here
Researchers have developed an algorithm that generates useful blacklists for networks by taking information from victims of past network attacks and predicting which hacker sites are likely to target specific networks in the future.

* Nov 2008: Heise Security:  BotHunter Tracks Down Zombie PCs on a LAN
   [German Ver]
The developers of botnet-tracking tool BotHunter have added several new features in Version 1.0.1 to help you track down bots on your own LAN even faster and more reliably. A dynamic update service is included that automatically passes new rules and blacklists  to BotHunter, and a graphical interface to display any infected PCs.

* Nov 2008: WinFuture - Windows Online Magazine:  BotHunter Soll Zombie Rechner im LAN enttarnen
Der Software-Hersteller SRI International hat eine neue Version seines Tools BotHunter veroffentlicht. Dieses soll in lokalen Netzen Rechner identifizieren, die einem BotNetz angehoren.

* Nov 2008:  Weiner Zeitung: Software gegen Zombies
Bis zu 10 Millionen Zombies sind weltweit aktiv. Diese Computer horen nicht auf ihre Besitzer, sondern auf kriminelle Hintermanner, die manchmal uber ganze Herden von Zombies verfugen. Sie benutzen sie, um Spam zu verschicken, Server zu attackieren oder Accounts auszuspionieren.

* Nov 2008:  Weiner Zeitung: Software gegen Zombies
Bis zu 10 Millionen Zombies sind weltweit aktiv. Diese Computer horen nicht auf ihre Besitzer, sondern auf kriminelle Hintermanner, die manchmal uber ganze Herden von Zombies verfugen. Sie benutzen sie, um Spam zu verschicken, Server zu attackieren oder Accounts auszuspionieren.

* 10 October 2007:   KTVU Channel 2 News  [Video - WMV] 
BotHunter Television Interview.  Bay Area Channel 2 News at 5.

* 10 October 2007:   KGO Radio Interview [Audio - MP3]  [Audio - MP3] 
BotHunter Radio Interview - Bay Area AM Radio.

* 8 October 2007:  San Francisco Chronicle: Techies Take on Spam Zombies
Computer scientists in Menlo Park are releasing a free diagnostic program today to help network administrators find PCs infected with an insidious new type of virus that has already tainted millions of computers and used them to generate billions of spam e-mails.

*  September 2007:  Microsoft Certified Professional Magazine:
   Free Tool Hunts Bots
A "dialog-correlation-based" tool called BotHunter has been released free to the Internet. BotHunter attempts to correlate network traffic patterns to identify likely bot-controlled systems within your network. The tool is the result of the Cyber-Threat Analytics research project. BotHunter runs on several different Linux platforms. Truly an excellent idea and well worth investigating. It is difficult to say whether this will become a standard feature of networks in the future, especially given that there is a patent pending on the "dialog- correlation-based" feature.

*  September 2007:  ComputerWorld:    Cool Tools for Hacker Trackers
If you want to keep up with the latest criminal exploits without having to collect malware yourself, take a look at SRI International's Cyber-Threat Analytics BotHunter Malware Analysis Web page Reporting on information and statistics collected from a research honeynet, the BotHunter Malware Analysis page makes daily infection logs from high-interaction honeypots available for anyone to view. Although the scale of the project and information collected is fairly small, this is a useful site for gaining more insight into crimeware and the world of bots.

---

PRESS RELEASE (November 2008):

RESEARCHERS UNVEIL A FREE BOTNET DETECTION TOOL FOR WINDOWS, MAC OS, AND LINUX
http://www.bothunter.net
19 November 2008

Researchers from SRI International have released a free application to help Windows, Mac, and Linux users detect malware-infected hosts on their networks. The BotHunter® network-based malware detection software is a significant addition to the arsenal of tools available to help users combat the prolific rise of Internet malware. Using an advanced patent-pending infection-dialog-based event correlation engine, BotHunter introduces one of the most in-depth network-based malware infection diagnosis systems available today.

Regardless of how malware enters your network, through innocent web surfing, email attachments, direct exploit, or by attaching your laptop to the wrong wireless network, once a machine within your perimeter is compromised your whole network is under threat.  BotHunter can help you quickly recognize and isolate these infected machines.

BotHunter is a network monitoring system designed to correlate the two-way communication flows between vulnerable computers and external hackers. It tracks the underlying key interactions that most commonly occur when a PC is infected by a malicious software application, such as adware, spyware, viruses, worms, and botnets.  BotHunter then ties together the dialog trail of inbound intrusion alarms with outbound communication patterns that are highly indicative of a successful local computer infection. When a sequence of evidence is found to match BotHunter's infection dialog model, a consolidated report, is produced to capture all relevant events and event sources that played a role during the infection process.

Capturing the full scope of a malware infection requires the ability to interpret a dialog that can span several participants, including the victim host, the infection agent, the source of binary updates, the command and control server, and eventually the propagation targets of the newly infected victim.  Traditional network intrusion detection systems (IDSs) typically focus on inward packet flows for signs of malicious point-to-point intrusion attempts.  IDSs have the capacity to detect incoming attacks, and the prolific frequency with which they produce such alarms is well documented.  However, being able to distinguish a successful local host infection from the daily myriad of scans and intrusion attempts is as critical a task as any facet of network defense.

“BotHunter flips the paradigm of classic network-based intrusion detection,” says Phillip Porras, SRI program director of Enterprise and Infrastructure Security, and lead developer of the BotHunter project. “Rather than monitoring who is trying to break into your network, BotHunter detects those machines inside your network that are trying to propagate infections or are being remotely controlled by external hackers.”

BotHunter also includes an auto-update service that allows fielded systems to receive the latest threat intelligence regarding new sources for ad and spyware management, botnet control sites, backdoor and control ports, and malware related domain name lookups. The update service also publishes new dialog analysis rules to help BotHunter recognize emerging exploits and malware communication patterns. Modern malware defenses need to be adaptive and aware of the latest strategies used by Internet malware, and BotHunter is ready to meet this challenge.

BotHunter was funded through the Cyber-Threat Analytics (http://www.cyber-ta.org) research grant from the U.S. Army Research Office, and is available for download at http://www.bothunter.net. BotHunter is free to all end-users. SRI welcomes inquiries from entities who wish to redistribute BotHunter or to incorporate the software into their products.

---

About SRI International
Silicon Valley-based SRI International is one of the world's leading independent research and technology development organizations. SRI, which was founded by Stanford University as Stanford Research Institute in 1946 and became independent in 1970, has been meeting the strategic needs of clients and partners for more than 60 years. Perhaps best known for its invention of the computer mouse and interactive computing, SRI has also been responsible for major advances in networking and communications, robotics, drug discovery and development, advanced materials, atmospheric research, education research, economic development, national security, and more. The nonprofit institute performs sponsored research and development for government agencies, businesses, and foundations. SRI also licenses its technologies, forms strategic alliances, and creates spin-off companies. In 2007, SRI’s consolidated revenues, including its wholly owned for-profit subsidiary, Sarnoff Corporation, were approximately $450 million.