Release Notes
Latest release: version 1.5
THANK YOU

We sincerely thank you all for your support, interest, and encouragement in developing this latest software release.   BotHunter has been a huge hit, thanks to you, and we have received lots of great suggestions from many users. 

Here is a summary of the major improvements to BotHunter 1.5 since our last release of BotHunter 1.0.4 in June 2009.         


CHANGES TO THE BOTHUNTER CORRELATOR
  • Skype detection logic has been added to the correlator to avoid declaring infections on machines that are actively running Skype.
  • The BotHunter dialog event logging facility and infection profile log  facility have been updated (custom configuration options '1' and '3') to allow users to specify roll-over intervals based on GMT, localtime, or via 3-char timezone codes.
  • The BotHunter dialog correlation engine no longer considers inbound scanning events.
  • The dialog correlation engine now downweights the high-order non-malware-related UDP scans.

NEW DIALOG EVENT GENERATION PLUG-IN
  • BotHunter introduces a powerful new stateful Snort DNS query analyzer, which tracks a blacklist of domain names known to be associated with host hijacking, and domain names associated with botnet command and control.
   
ADDITIONAL USER CONFIGURATION CONTROLS
  • We have added a new configuration section, which allows users to specify various whitelist criteria to override configuration parameters provided  through BotHunter's threat intelligence service.
       o Users can now whitelist special IP-based devices or network servers that they wish to be excluded from
          BotHunter infection profile generation. 
   
       o Users can now produce an IP-based whitelist of external addresses that appear in the BotHunter malware-IP
          lists (ShadowServer, RBN, MTC, and bhRepo Lists).   This local whitelist will supersede these blacklists that
          are updated from the BotHunter Threat Intelligence Feed.  
   
       o Users can now produce a DNS-based whitelist of external domain names that appear in the malware DNS
          blacklist used by BotHunter's new stateful DNS query analyzer. 

       o Users can provide a list of Snort dialog event SIDS that they wish to be filtered from BotHunter's correlator.
  • Unix users can now specify an additional parameter when selecting roll-over by time.  This new parameter allows for the time of file rollover to be synchronized with the local time zone (in the previous release, rollover times were synchronized with the UTC/GMT time zone.

CHANGES IN DIALOG EVENT GENERATION
  • bhScanner now characterizes high-order UDP port and IP sweeps in candidates for Skype or P2P communications
  • Several fixes and improvements have been make to the Conficker P2P detection plug-in.  Bug fixes were made to improve its reading of the TRUSTED_NETWORK list.  It also performs improved garbage collection to avoid false positives.  
   

CHANGES TO SNORT REPORTING
  • BotHunter dialog events now optionally report outbound URLs that are associated with coordination or exploit dialog events.  An example dialog event using this URL reporting feature is 
                C and C TRAFFIC
                63.251.135.26 (08:58:11.723 PDT)
                event=1:2001500 {tcp} E4[rb] ET MALWARE Clickspring.net Spyware Reporting,
                [/notify.php?pid=ctxad&module=NDrvExe&v=582&b=1682&result=0&message=
                clientID=109657677&classID=13435408&anewid=a_155142847&ctxad]
                MAC_Src: 00:0E:39:DB:3C:00 1057->80 (08:58:11.723 PDT)
  • The Windows version of Snort has been upgraded to invoke immediate buffer flushing in fast alert mode. In previous versions of BotHunter, Snort on Windows could (indefinitely) delay sending dialog events to the correlator.

BUG FIXES
  • BotHunter-specific Snort preprocessor and detection plug-ins were corrected to comprehensively parse all entries in IP list configuration variables, such as the HOME_NET List.  Previously,  the parsing processed only approx 128 entries.
  • The E8[bh] dialog events would under certain circumstances fail to show which malware ports were involved in a scan.  This reporting error has been fixed.
  • The Windows release fixes errors in the handling of Windows directory paths.  BotHunter was unable to start when directories along the installation path had names that began with certain characters (viz., 'b', 't', 'n', 'f', and 'r').  This most frequently happened when handling custom installations to user-specified directories.

INSTALL/CONFIGURE ENHANCEMENTS
  • Unix users can now store network configuration information into a file, and retrieve their stored configuration information directly from the installation prompt.  That is, when prompted for a network address list during installation, Unix users may now enter a back-quote ("`")-delimited shell command.  For example, given that file TestConfig.txt contains
                ## begin file ---------------------------------------------------
                BotHunter Test Configuration
                TRUSTED_NET:  192.168.0.0/16,10.10.84.0/24,10.10.85.0/24,10.10.30.0/24,
                TRUSTED_NET:  192.168.0.0/17,10.10.84.0/24,10.10.85.0/24,10.10.30.0/24
                SMTP_SERVERS:  192.168.1.29,192.168.1.30               
                DNS_SERVERS:   192.168.96.200,192.168.1.20,192.168.1.230               
                ## end file -----------------------------------------------------

      the following will correctly populate the Trusted Network Masks, DNS_SERVERS, and SMTP_SERVERS:

      Enter the number of the section to alter,
                 "?"       for help on this prompt               
                "custom"  to switch to custom configure mode
                "reset"   to restore the configuration to the "factory defaults"
                 "abort"   to abort the installation and exit, or
                 "done"    to save this new configuration (default: done): 2

     ------------------------------
     Snort Configuration Parameters:

                Enter the list of Trusted Network Masks (default, 0.0.0.0):
                              `grep -e '^TRUSTED.*/16' TestConfig.txt | sed 's/.*\: *//'

                Enter the SMTP_SERVERS set of IP addresses separated by commas (default: 0.0.0.0):
                               `grep -e '^SMTP.*' TestConfig.txt | sed 's/.*\: *//'

                 Enter the DNS_SERVERS set of IP addresses separated by commas (default: 0.0.0.0):
                               `grep -e '^DNS.*' TestConfig.txt | sed 's/.*\: *//'
  • The Unix installer has been enhanced to make use of the ifconfig command, where available, to augment the display of detected network interfaces.


That's it.  Thank you for your interest and support.

BotHunter Development Team
Computer Science Laboratory
SRI International






Download BotHunter
Release Notes
About BotHunter
End User License Agreement
Coming Soon
BotHunter Snort Mods
User Guide
User Interface Guide
Frequently Asked Questions
Copyright Notices
Latest News
BotHunter Live Internet Monitor
BotHunter Community Repository
Sample Malware Diagnoses