BotHunter® User Manual
version 1.0.4, Self-Booting CD Release
Last Update: 05 June 2009
www.bothunter.net


Contents
Welcome
System Requirements
Initializing BotHunter
Operating BotHunter
Reading a BotProfile
Acknowledgments


What is BotHunter?

BotHunter is an application designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model.  BotHunter consists of a correlation engine that is driven by a customized and augmented release of Snort version 2, which tracks the underlying actions that occur during the  malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication.  The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection.  When a sequence of evidence is found to match BotHunter's infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.  We refer to this analytical strategy of matching the dialog flows between internal assets and the broader Internet as  dialog-based correlation (patent pending).  

BotHunter is available free for both experimental operational use and to help stimulate research in understanding the life cycle of malware infections.

System Requirements

Hardware Requirements

Your system should have a modern Intel Pentium-class, at least 1 GB RAM, and at least 1 Ethernet NIC/WIC for network monitoring.

Network Requirements

Installation requires Internet connectivity for downloading the necessary libraries, packages, and BotHunter ruleset updates.

Communication Requirements

BotHunter does perform some outbound communications to the BotHunter automated threat intelligence updating service and infection profile repository.    BotHunter's threat updating service periodically probes the BotHunter repository server (located at SRI International, Calif., USA) to pull in the latest botnet command and control (C&C) blacklist, malware DNS list, and new malware detection rules, which are updated on a regular basis.  This allows your fielded BotHunter to maintain its awareness of the latest C&C servers, malware-associated DNS lookups, Russian Business Network address space, and malware control/backdoor ports.  The repository service allows your fielded BotHunter to send anonymized infection profiles of detected external C&C's, egg download sites, exploit sources, and rule detection patterns.  It does not report any IP addresses from your trusted net, and BotProfile sources are anonymized and are not tracked.

To utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282.   You may disable these outbound connections and your BotHunter will function, but it will not be able to receive new threat intelligence from our remote updating service.

Initializing BotHunter

After you download the BotHunter Self-Booting ISO file and burned the image to a CD, place the CD in your computer and reboot.  This CD will auto-boot an Ubuntu Linux distribution and automatically start the following BotHunter initialization procedure:

Software Initialization Procedure

1.   The self-booting CD boot screen will display; press <Return> or wait 30 seconds.


2.   The BotHunter End User License Agreement is displayed.


 
3.  Set up the Ethernet connection:   Select the "System" menu item from the top menu of the display.   Select "Administration" -> "Network" to display the Network Settings panel.   Select the management interface (e.g., eth0) you wish to use to receive the latest BotHunter ruleset updates.



4.   Once you have selected the appropriate interface, click the Properties button.   Uncheck "Enable roaming mode".



5.  Next, from the properties menu, select the configuration tab and appropriately configure the interface for your environment.;   When done, click "OK".



6.   Click "Close" to dismiss the Network Settings window.




7.     After reading the EULA,  click the "I Accept" button to continue installation.




8.     After reading this page,  press "esc" to exit full screen mode.




9.   Select and click on the "BotHunter Startup" window (behind the BotHunter_Setup.png display window).




10.   Enter your site-specific information:

Enter your Trusted Network Mask, a (comma-separated) local network mask list, plus the IP addresses of all external NetBIOS shares with which your internal machines are allowed to communicate.

     Example: 192.168.1.0/24,10.10.0.10/16

Enter your SMTP Servers, a comma-separated list of IP addresses of the email server(s) used by systems inside your network.

Enter your DNS Servers, a comma-separated list of DNS servers used by systems inside your network.

Enter which network interface device you would like BotHunter to monitor.

Press <Return> to run the system.




11.  After a brief pause, the BotHunter graphical user interface is displayed.





Operating BotHunter


If you close the BotHunter graphical user interface and wish to re-open it, click on the BotHunter® GUI icon on your Desktop.  The BotHunter Graphical User Interface Guide explains how to operate and manage BotHunter. 


Reading a BotProfile

BotProfile Format

BotHunter produces an Infection Profile when it encounters a machine inside the Trusted Network address space that exhibits a pattern of dialog exchanges that match the correlator's internal infection life cycle mode.  

All BotProfiles consist of three sections: the profile header, forensic evidence, and packet selection instructions.   The profile header consists of the following fields:

Score
 A score range from (0.8 to 3.8) indicates the amount of forensic evidence that BotHunter has observed in declaring this machine infected.  The greater this score, the more forensic evidence (confidence) that this machine is infected.
Infected Target
 IP address of the infected asset.  This machine will be within the Trusted Network address space.  

Infector List
 IP address list of the candidate set of machines that have infected the local asset.  This address list may be blank if BotHunter did not observe the malware exploit that infected the victim machine.
Egg Source List
 IP address of the machine from which the malicious executable was downloaded.  This is usually the infection source, but not always.
C&C List
 IP address list of those machines that are participating as the botnet command and control server or malware coordination site.
Peer Coord. List
 IP address list of peer machines that compose a malware P2P control channel.
Resource List
 IP address list of machines with which the local infected asset is communicating to prepare for attack propagation.
Observed Start
 Timestamp of the first malware-related dialog exchange observed for this profile. 

Report End
 Timestamp of the last malware-related dialog exchange observed for this profile.
Gen. Time
 Timestamp of when this BotHunter profile was produced.

The forensic evidence section summarizes all dialog exchanges that led BotHunter to believe the local asset is now infected.   This section summarizes all dialog event warnings (Snort alerts) that led BotHunter to diagnose the infection.  Each dialog event is displayed under the associated phase in the infection life cycle model. Under BotHunter's dialog correlation model, there are eight potential dialog communication phases:

Inbound Scan Applicable to scan-and-infect malware. This communication stage represents precursor activity by a potential attack source. This stage is not applicable in spam-based bot propagation as found in Storm, as such bots do not acquire new victims through network address scanning.
Exploit
Launch
 Applicable to scan-and-infect malware. Here the internal victim host is attacked through a remote-to-local network communication channel.
Egg (binary)
Download
 Applicable and detectable across malware families. Once infected, a compromised host is subverted to download and execute the full bot client codebase from a remote egg download site, usually from the attack source.

C&C
Communication
 Applicable to traditional C&C botnets. This communication stage is traditionally observed in botnets that support centralized C&C communication servers.
Outbound
Scan or Attack
Propagation
 Applicable and detectable across all self-propagating malware families. This communication phase represents actions by the local host that indicate it is attempting to attack other systems or perform actions to propagate infection. In the case of spambots, such as Storm, attack propagation can readily be discerned by the rapid and prolific communication of a non-SMTP-server local asset suddenly sending SMTP mail transactions to a wide range of external SMTP servers. In addition, spam and P2P bots both generate high rates of TCP and UDP connections to external addresses, often triggering intense streams of outbound port and IP address sweep dialog alarms.
Local Attack
Preparation

 Applicable and detectable in spambot SMTP server list generation. This communication stage represents the locally infected victim performing actions that are indicative of preparing for attack propagation. For example, the collection of mail host IP addresses by a non-SMTP server local asset is a potential precursor action for spam distribution.
Peer
Coordination

   

Applicable and detectable in P2P botnets. A P2P-based bot solicits and receives coordination instructions from a community of peers within the larger botnet. The protocol is used to synchronize bot actions and accept commands from a hidden controller.
Bot
Declaration
 Applicable for aggressively scanning malware applications.   This communication stage will be reached when a local asset engages in sustained and focused malware propagation activity.

The packet selection instruction section of each BotHunter profile provides help for users who collect packet traces (using tcpdump(1)) in parallel with BotHunter.  This section provides the tcpslice(1) command that will isolate all packets associated with the malware infection from the full network packet trace.

Example 1 presents an example profile produced from a machine infected with the Cheburgen.A worm.   Additional example infection profiles are available at the BotHunter Sample Analyses page.

Example 1: Example BotHunter Profile - The Cheburgen.A Worm
(Profile Header Section)
Score:            2.6 (>= 0.8)
Infected Target:  192.168.1.41
Infector List:    77.102.0.196
Egg Source List:  77.102.0.196
C & C List:       210.245.211.11
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   07/25/2008 05:03:53.171 PDT
Report End:       07/25/2008 05:10:43.628 PDT
Gen. Time:        07/25/2008 05:10:43.628 PDT
(Forensic Evidence Section)
INBOUND SCAN
    <unobserved>
    
EXPLOIT
    77.102.0.196 (05:03:53.171 PDT)
       event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
          135<-3083 (05:03:53.171 PDT)
    
EGG DOWNLOAD
    77.102.0.196 (9) (05:03:57.087 PDT-05:03:58.131 PDT)
       event=1:1444 (3) {udp} E3[rb] TFTP GET from external source
          1029->69 (05:04:13.135 PDT)
          2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
       -------------------------
       event=1:2008120 (3) {udp} E3[rb] ET Policy Outbnd TFTP Read 
          1029->69 (05:04:13.135 PDT)
          2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
       -------------------------
       event=1:3001441 (3) {udp} E3[rb] TFTP Get .exe from external src 
          (05:04:13.135 PDT)
          2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
       
C and C TRAFFIC
    210.245.211.11 (05:04:25.309 PDT)
       event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining IRC
       Channel 1032->65520 (05:04:25.309 PDT)
       
PEER COORDINATION
    <unobserved>
    
OUTBOUND SCAN
    77.102.0.196 (05:03:53.386 PDT)
       event=1:52123 {tcp} E5[rb] Registered Free Attack-Response 
       Microsoft cmd.exe banner 1027->707 (05:03:53.386 PDT)
       
ATTACK PREP
    <unobserved>
    
DECLARE BOT
    210.245.211.11 (3) (05:04:24.848 PDT-05:10:43.628 PDT)
       event=1:3000014 (3) {tcp} E8[rb] BotHunter Known C&C Server
       (International) 3: 1032->65520 (05:04:24.848 PDT-05:10:43.628 PDT)
(Packet Selection Instructions Section)
tcpslice 1216987433.171 1216987843.629 inputFile.tcpd | tcpdump -r - \
         -w outputFile.tcpd 'host 192.168.1.41'

Acknowledgments

The BotHunter team gratefully acknowledges those increasingly fewer U.S. funding agencies that are actively supporting new research in information security.    We especially thank Cliff Wang at ARO for his support of the Cyber-TA project and  BotHunter.


SRI International                                                                                              http://www.bothunter.net



BotHunter®

 


Links:


Getting Help:

    Forum.BotHunter.Net

BotHunter Developers
Sponsors

   Army Research Office (ARO)
  

Important Sites



Notice
BotHunter is a
U.S. Registered Trademark of

SRI International
333 Ravenswood Avenue
Menlo Park, CA 94025