BotHunter® User Manual
version 1.0.4, Windows Release
Last Update: 05 June 2009
www.bothunter.net


  Contents

What is BotHunter?

BotHunter is an application designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model.  BotHunter consists of a correlation engine that is driven by a customized and augmented release of Snort version 2, which tracks the underlying actions that occur during the  malware infection process: inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, outbound attack propagation, and malware P2P communication.  The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection.  When a sequence of evidence is found to match BotHunter's infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.  We refer to this analytical strategy of matching the dialog flows between internal assets and the broader Internet as  dialog-based correlation (patent pending).  

BotHunter is available free for both experimental operational use and to help stimulate research in understanding the life cycle of malware infections.

System Requirements

Hardware Requirements

Your system should have a modern Intel Pentium-class processor, at least 1 GB RAM, and at least 1 Ethernet NIC/WIC for network monitoring.

OS and Software Requirements

BotHunter is available for use on the following operating systems:

Microsoft Windows
  
- a self-installing Win32 executable tested under Windows XP

Network Requirements

Installation requires Internet connectivity for downloading the necessary libraries, packages, and BotHunter ruleset updates.

Communication Requirements

BotHunter does perform some outbound communications to the BotHunter automated threat intelligence updating service and infection profile repository.    BotHunter's threat updating service periodically probes the BotHunter repository server (located at SRI International, Calif., USA) to pull in the latest botnet command and control (C&C) blacklist, malware DNS list, and new malware detection rules, which are updated on a regular basis.  This allows your fielded BotHunter to maintain its awareness of the latest C&C servers, malware-associated DNS lookups, Russian Business Network address space, and malware control/backdoor ports.  The repository service allows your fielded BotHunter to send anonymized infection profiles of detected external C&C's, egg download sites, exploit sources, and rule detection patterns.  It does not report any IP addresses from your trusted net, and BotProfile sources are anonymized and are not tracked.

To utilize the BotHunter automated remote updating service, you must enable outbound connections from your BotHunter host to TCP ports 5242 and 6282.   You may disable these outbound connections and your BotHunter will function, but it will not be able to receive new threat intelligence from our remote updating service.

INSTALLATION

The following is a summary of the minimum steps necessary to install, configure, and start BotHunter on your Windows PC.   To complete this installation, you will also need to know the IP address netmask of the network you wish to protect, and the IP addresses of your email and DNS servers.

BotHunter's installation process will NOT upgrade a previous installation. If you have a previous installation of BotHunter, you should remove the previous user installation or install BotHunter using a different user account. 

Software Installation Procedure

1. Download and execute the Self-installing Windows executable.




2.   Read the end user license and select whether you accept the agreement or not.   If you choose to accept the license, click next.


3.   Enter your username and organization.


 
4.  Select Complete installation (custom installation is currently equivalent) and click next.



5.   The Network Information panel prompts you to enter the basic configuration information necessary to run BotHunter.   These configuration items include

    Trusted Network List:   Provide a (comma separated) local network mask list, plus the IP addresses of all external NetBIOS shares with which your internal machines are allowed to communicate.

    SMTP Servers:  Your email program should have an option or configuration menu item that allows you to set your mail server name (e.g.,  mxN.isp-vendor.com).  From the black command shell, type 'nslookup mxN.isp-vendor.com'.  The IP address of your mail server should be provided.

    DNS Servers:   Provide a comma separated list of your DNS Servers.  To find your DNS Servers, click the Start  menu, select Run, and type cmd.exe at the open prompt.  A black command shell should start.  Type 'C:\path> ipconfig /all`.   You DNS servers should be listed under you active Ethernet device. 

    Network Adapter:  Select the Ethernet adapter that you would like BotHunter to monitor.



6.   Click the  Install button to install BotHunter on your Windows system.  Once completed, A BotHunter Icon will be installed on your desktop.




Operating BotHunter


To start BotHunter, click on the BotHunter icon on your Windows Desktop.  The BotHunter Graphical User Interface Guide explains how to operate and manage BotHunter. 


Reading a BotProfile

BotProfile Format

BotHunter produces an Infection Profile when it encounters a machine inside the Trusted Network address space that exhibits a pattern of dialog exchanges that match the correlator's internal infection life cycle mode.  

All BotProfiles consist of three sections: the profile header, forensic evidence, and packet selection instructions.   The profile header consists of the following fields:

Score
 A score range from (0.8 to 3.8) indicates the amount of forensic evidence that BotHunter has observed in declaring this machine infected.  The greater this score, the more forensic evidence (confidence) that this machine is infected.
Infected Target
 IP address of the infected asset.  This machine will be within the Trusted Network address space.  

Infector List
 IP address list of the candidate set of machines that have infected the local asset.  This address list may be blank if BotHunter did not observe the malware exploit that infected the victim machine.
Egg Source List
 IP address of the machine from which the malicious executable was downloaded.  This is usually the infection source, but not always.
C&C List
 IP address list of those machines that are participating as the botnet command and control server or malware coordination site.
Peer Coord. List
 IP address list of peer machines that compose a malware P2P control channel.
Resource List
 IP address list of machines with which the local infected asset is communicating to prepare for attack propagation.
Observed Start
 Timestamp of the first malware-related dialog exchange observed for this profile. 

Report End
 Timestamp of the last malware-related dialog exchange observed for this profile.
Gen. Time
 Timestamp of when this BotHunter profile was produced.

The forensic evidence section summarizes all dialog exchanges that led BotHunter to believe the local asset is now infected.   This section summarizes all dialog event warnings (Snort alerts) that led BotHunter to diagnose the infection.  Each dialog event is displayed under the associated phase in the infection life cycle model. Under BotHunter's dialog correlation model, there are eight potential dialog communication phases:

Inbound Scan Applicable to scan-and-infect malware. This communication stage represents precursor activity by a potential attack source. This stage is not applicable in spam-based bot propagation as found in Storm, as such bots do not acquire new victims through network address scanning.
Exploit
Launch
 Applicable to scan-and-infect malware. Here the internal victim host is attacked through a remote-to-local network communication channel.
Egg (binary)
Download
 Applicable and detectable across malware families. Once infected, a compromised host is subverted to download and execute the full bot client codebase from a remote egg download site, usually from the attack source.

C&C
Communication
 Applicable to traditional C&C botnets. This communication stage is traditionally observed in botnets that support centralized C&C communication servers.
Outbound
Scan or Attack
Propagation
 Applicable and detectable across all self-propagating malware families. This communication phase represents actions by the local host that indicate it is attempting to attack other systems or perform actions to propagate infection. In the case of spambots, such as Storm, attack propagation can readily be discerned by the rapid and prolific communication of a non-SMTP-server local asset suddenly sending SMTP mail transactions to a wide range of external SMTP servers. In addition, spam and P2P bots both generate high rates of TCP and UDP connections to external addresses, often triggering intense streams of outbound port and IP address sweep dialog alarms.
Local Attack
Preparation

 Applicable and detectable in spambot SMTP server list generation. This communication stage represents the locally infected victim performing actions that are indicative of preparing for attack propagation. For example, the collection of mail host IP addresses by a non-SMTP server local asset is a potential precursor action for spam distribution.
Peer
Coordination

   

Applicable and detectable in P2P botnets. A P2P-based bot solicits and receives coordination instructions from a community of peers within the larger botnet. The protocol is used to synchronize bot actions and accept commands from a hidden controller.
Bot
Declaration
 Applicable for aggressively scanning malware applications.   This communication stage will be reached when a local asset engages in sustained and focused malware propagation activity.

The packet selection instruction section of each BotHunter profile provides help for users who collect packet traces (using tcpdump(1)) in parallel with BotHunter.  This section provides the tcpslice(1) command that will isolate all packets associated with the malware infection from the full network packet trace.

Example 1 presents an example profile produced from a machine infected with the Cheburgen.A worm.   Additional example infection profiles are available at the BotHunter Sample Analyses page.

Example 1: Example BotHunter Profile - The Cheburgen.A Worm
(Profile Header Section)
Score:            2.6 (>= 0.8)
Infected Target:  192.168.1.41
Infector List:    77.102.0.196
Egg Source List:  77.102.0.196
C & C List:       210.245.211.11
Peer Coord. List: <unobserved>
Resource List:    <unobserved>
Observed Start:   07/25/2008 05:03:53.171 PDT
Report End:       07/25/2008 05:10:43.628 PDT
Gen. Time:        07/25/2008 05:10:43.628 PDT
(Forensic Evidence Section)
INBOUND SCAN
    <unobserved>
    
EXPLOIT
    77.102.0.196 (05:03:53.171 PDT)
       event=1:299913 {tcp} E2[rb] SHELLCODE x86 0x90 unicode NOOP
          135<-3083 (05:03:53.171 PDT)
    
EGG DOWNLOAD
    77.102.0.196 (9) (05:03:57.087 PDT-05:03:58.131 PDT)
       event=1:1444 (3) {udp} E3[rb] TFTP GET from external source
          1029->69 (05:04:13.135 PDT)
          2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
       -------------------------
       event=1:2008120 (3) {udp} E3[rb] ET Policy Outbnd TFTP Read 
          1029->69 (05:04:13.135 PDT)
          2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
       -------------------------
       event=1:3001441 (3) {udp} E3[rb] TFTP Get .exe from external src 
          (05:04:13.135 PDT)
          2: 1028->69 (05:03:57.087 PDT-05:03:58.131 PDT)
       
C and C TRAFFIC
    210.245.211.11 (05:04:25.309 PDT)
       event=1:2003603 {tcp} E4[rb] ET TROJAN W32.Virut.A joining IRC
       Channel 1032->65520 (05:04:25.309 PDT)
       
PEER COORDINATION
    <unobserved>
    
OUTBOUND SCAN
    77.102.0.196 (05:03:53.386 PDT)
       event=1:52123 {tcp} E5[rb] Registered Free Attack-Response 
       Microsoft cmd.exe banner 1027->707 (05:03:53.386 PDT)
       
ATTACK PREP
    <unobserved>
    
DECLARE BOT
    210.245.211.11 (3) (05:04:24.848 PDT-05:10:43.628 PDT)
       event=1:3000014 (3) {tcp} E8[rb] BotHunter Known C&C Server
       (International) 3: 1032->65520 (05:04:24.848 PDT-05:10:43.628 PDT)
(Packet Selection Instructions Section)
tcpslice 1216987433.171 1216987843.629 inputFile.tcpd | tcpdump -r - \
         -w outputFile.tcpd 'host 192.168.1.41'

Acknowledgments

The BotHunter team gratefully acknowledges those increasingly fewer U.S. funding agencies that are actively supporting new research in information security.    We especially thank Cliff Wang at ARO for his support of the Cyber-TA project and  BotHunter.


SRI International                                                                                              http://www.bothunter.net



BotHunter®

 


Links:


Getting Help:

    Forum.BotHunter.Net

BotHunter Developers
Sponsors

   Army Research Office (ARO)
  

Important Sites



Notice
BotHunter is a
U.S. Registered Trademark of

SRI International
333 Ravenswood Avenue
Menlo Park, CA 94025