Buttinsky - Botnet Monitoring \o/

Please pronounce with a Russian accent...

Botnet monitoring is a crucial part in threat analysis and often neglected due to the lack of proper open source tools. The Buttinsky project will provide an open source framework for automated botnet monitoring.

The modular design will allow full customization of the used protocols, the monitoring clients behavior, how we log the collected information, processing of the data to analyze the botnets purpose, size and threat and how the monitoring task are distributed between dedicated nodes

Our motivation was the simple lack of a proper, freely (no, there is no free beer) available tool.

What is your reason for writing your own monitoring tool?

Botnet monitoring is a process of actively joining a botnet infrastructure in order to learn about its inner workings for research and analysis purposes. One clear distinction between a real bot and a monitoring bot is that the monitoring bot does not perform any harmful actions when instructed to by the bot herder. If the monitoring bot can collect information we will be able to understand what is going on inside the botnet and also find weaknesses and design flaws of the botnet protocol. This information can then be used for botnet takedown.

There are currently two available but very specialized tools from project members, both with a different approach and goal. Hale with the more manual and customizable approach and the automated and IRC botnet specific WSBS. In this proposed project we want to build a strong monitoring framework based on a combined version of the previous solutions.

With Buttinsky we are building a versatile monitoring platform which will provide the cornerstones for your customized solution. The features will include but are not restricted to:

Modular framework

Network layer, event library, communication protocol and behavior are exchangeable

Data management

Possibilities including relational and NoSQL databases and generic data feeds

Bot mimicking

Using behavior patterns generated from collected data leveraging machine learning techniques

Automated distribution

Monitoring clients all ove the globe to improve scalability and camouflage

Data

Gathering auxiliary data to increase the in depth knowledge about the monitored target

Interfaces

Use what you are used to for follow-up analysis and threat assessment

Blog post announcing Buttinsky.

Public announcement of our Magnificent7 participation.

CNBC quotes Rapid7's announcement.

As we are building a project from scratch, first milestone includes further design planning and basic implementation of the framework architecture. Additionally we implement the client manager, responsible for controlling the monitoring clients, and the client on the TCP layer.
Until now there is not much to see but if you are interested in shaping this project with us, feel free to join us on GitHub.

1. First Release
• Receive bot parameters from a MAS (malware analysis system) for spawning new botnet monitors.
• Plugins for some well-known IRC, HTTP and P2P botnet protocols.
• Process collected information (e.g., intercepted update files) in a MAS.
• Bot behaviour mimicking using the collected data and machine learning.


2. Final Release in M7 Program
• Support for distributed botnet monitoring.
• Gathering of auxiliary information to enrich the data collected by the monitors.
• Attach analysis tools to logged botnet data to provide input for automated threat assessment of botnets (e.g. amount of attacks, targets and collected botnet metrics).

Adrian Wolf

For his awesome artwork and continuous trust in great ideas.

@undeadsecurity

For neverending love and sharp eye for German/Swedish grammar.