BotHunter tracks down zombie PCs on a LAN
The developers of botnet-tracking tool BotHunter have added several new features in Version 1.0.1 to help you track down bots on your own LAN even faster and more reliably. A dynamic update service is included that automatically passes new rules and blacklists to BotHunter, and a graphical interface to display any infected PCs.
BotHunter listens in to the network traffic and, using various analytical techniques, tries to identify connections from bots to their bot-herder. Among the things it uses for this purpose are lists of known command-and-control servers, the DNS servers involved, and IP addresses belonging to the Russian Business Network. It also tries to identify call flows and correlate them with other data to yield a value for how likely it is that a PC is a bot.
SRI International, the maker of BotHunter, compiles the lists on the basis of its own honeypots and distributes them as updates. One of the project's sponsors is the US Army Research Office (ARO). The BotHunter package for Windows and Linux takes only about 10 MB of disk space and is available to download. To test Bothunter without installing it, there is also an ISO image to burn a bootable LiveCD.