Focus on BotHunter v1.5 the Malware Infection Detection System

BotHunter is the first, and still the best, network-based malware infection detection system out there. It tracks the two-way communication flows between your computer(s) and the Internet, comparing your network traffic against an abstract model of malware communication patterns.(1) Its goal is to catch bots and other coordination-centric malware infesting your network, and it is exceptionally effective.

PNG - 39.2 kb

CHANGES TO THE BOTHUNTER CORRELATOR

  • Skype detection logic has been added to the correlator to avoid declaring infections on machines that are actively running Skype.
  • The BotHunter dialog event logging facility and infection profile log facility have been updated (custom configuration options ’1’ and ’3’) to allow users to specify roll-over intervals based on GMT, localtime, or via 3-char timezone codes.
  • The BotHunter dialog correlation engine no longer considers inbound scanning events.
  • The dialog correlation engine now downweights the high-order non-malware-related UDP scans.

NEW DIALOG EVENT GENERATION PLUG-IN

  • BotHunter introduces a powerful new stateful Snort DNS query analyzer, which tracks a blacklist of domain names known to be associated with host hijacking, and domain names associated with botnet command and control.

ADDITIONAL USER CONFIGURATION CONTROLS

  • We have added a new configuration section, which allows users to specify various whitelist criteria to override configuration parameters provided through BotHunter’s threat intelligence service.
  • Users can now whitelist special IP-based devices or network servers that they wish to be excluded from BotHunter infection profile generation.
  • Users can now produce an IP-based whitelist of external addresses that appear in the BotHunter malware-IP lists (ShadowServer, RBN, MTC, and bhRepo Lists). This local whitelist will supersede these blacklists that are updated from the BotHunter Threat Intelligence Feed.
  • Users can now produce a DNS-based whitelist of external domain names that appear in the malware DNS blacklist used by BotHunter’s new stateful DNS query analyzer.
  • Users can provide a list of Snort dialog event SIDS that they wish to be filtered from BotHunter’s correlator.
  • Unix users can now specify an additional parameter when selecting roll-over by time. This new parameter allows for the time of file rollover to be synchronized with the local time zone (in the previous release, rollover times were synchronized with the UTC/GMT time zone.

Full Releases note