“It works so well that it has even found infected Mac computers, much to the embarrassment of the Mac owners who, of course, swear that their computers cannot be infected with bots,” Marcus Sachs, director at SANS Internet Storm Center, told SCMagazineUS.com Tuesday in an email.
The tool was developed by SRI International and funded through a Cyber-Threat Analytics research grant from the U.S. Army Research Office.
It reportedly helps Windows, Mac and Linux users detect malware-infected hosts on their networks by tracking interactions that typically occur when a PC is infected with malware, Porras said. The tool will generate an infection profile with all the forensic evidence that was gathered.
The infection profile report will then allow users to determine which machines on the network are acting like they are infected. The tool anonymizes infection profiles and passes them back to SRI, where they go into a repository that is used to help generate new threat intelligence.
BotHunter will not clean up machines. If infected, Porras recommended removing the machine from the network and running various removal tools – including anti-virus and spyware solutions – to try and clear up infection.
Botnet-infected machines remain a pervasive threat. In September, internet intelligence organization Shadowserver Foundation reported the number of zombie computers quadrupled during a three-month span, coinciding with a rise in SQL injection attacks.
Nearly 200 researchers, law enforcement officers and academics met last month at the International Botnet Task Force gathering in Arlington, Va. The organization was formed by Microsoft in 2004 to share information and investigation case studies.