[RESOLVED] BotHunter, Thumbs Up or Down?

[Doc]

I came across BotHunter which is supposed to monitor your network and desktop for Botnets. As most antivirus and security software has problems detecting botnets I was thinking that this might be a good program to install. From what I have read this company detected the Conficker worm first.

Does anyone have any opinions on this program or others that can be used?

Doc

[fink]

I guess no one here is familiar with it. You'll have to try it and let us know how it works

[Doc]

Will do though I am surprised that no one here has tried it. It will be weird being the first.

Doc

[Doc]

I ran this program for a number of days. What it does is monitor the traffic that comes from your computer in which it is similar to a good firewall. How it differs though is that while a firewall will tell you which program is connecting to the internet this will tell you what ip address your computer is connecting to.
You are then able to tell (from your own research) if the ip address your computer is connecting to is valid.

If you just look at your firewall settings all you would get is the name of the program that is running. You would not be able to tell if in actuality you had a Trojan or a botnet.

This program can also be used to determine if even "legitimate programs" are sending information to their authors on data usage etc...

For the average user this program most likely would be too advanced for them to use as it can be confusing. For those who are paranoid, running a network or just into security overkill, this is probably a good program for you to install.

Just my $0.02

Doc

[fink]

thanks for the update. With some firewalls you can also determine which programs are connecting/sending/recieving data to a displayed IP address. Comodo for eg does that (but you have to search a bit)

[randomthought]

sorry to necro this thread, but i didn't see any other info about bothunter.

the primary difference between this and a SW firewall is that this can monitor your network traffic, not just the local machine its installed on. this lets you use a known clean machine to check for botnet traffic on the whole network, thus freeing up resources on the local machine(s) as well as preventing rootkits from tricking locally running software.

this has been on my "investigate later" list for a while now, but i've never gotten around to trying it out.

their site www.bothunter.net seems to be down now; maybe they've upset a botnet admin.
they have another project BladeDefender (whose site is also down) that has some very interesting stats about the infection vectors of the malware they find (OS, browser + version, plugins, etc)

the most important lesson learned from their stats page: KEEP FLASH AND ACROBAT UP TO DATE. OS / browser updates are important but a significant portion of the driveby exploits they found came through Flash or Acrobat (can't check specifics while the site is down but if i remember correctly it was 65%+ from flash/acrobat)