As a recent post also indicated, botnets are considered one of the main Internet security threats. Researchers from the Georgia Institute of Technology have proposed a new piece of software that can detect botnets, named BotSniffer.
It is hard to detect botnets, as they make use of existing protocols such as IRC in ways that it makes it hard to distinguish them from ‘normal’ users.
The researchers explain: “Our approach is based on the observation that, because of the pre-programmed activities related to C&C (command & control, ed.), bots within the same botnet will likely demonstrate spatial-temporal correlation and similarity.”
In other words, when commanding a botnet, the same command is sent (for example by PRIVMSG) to separate bots, whereas with human users this kind of similar behavior at the exact same time is almost non-existent.
The approach was presented on the Internet Society’s Network and Distributed System Security Symposium last February. Versions of BotSniffer have been tested as plugin to existing intrusion detection systems such as Snort, though it can do its work on its own as well.
The researchers consider the C&C IRC channels the weakest link in a botnet. “If we can take down an active command and control or simply interrupt the communication to the command and control, the botmaster will not be able to control his botnet. Moreover, the detection of the command and control channel will reveal the command and control servers and the bots in a monitored network. Therefore, understanding and detecting the command and controls has great value in the battle against botnets,” the researchers said.
“We evaluated BotSniffer using many real-world network traces. The results show that BotSniffer can detect real-world botnets with high accuracy and has a very low false positive rate,” the researchers end their abstract.
Other software packages exist that can detect botnets, such as BotHunter, BotMiner and BotProbe. Security software vendors such as McAfee, Symantec and Trend Micro also have protection built in against these types of malware.