Cyber-TA Project Web Site
  Web Portal
Software Releases
Private Project Page

The research results produced under the Cyber-TA project have had wide influence and visibility across the INFOSEC research community and U.S. Department of Defense.  Our team has operationalized many of our core research concepts and cond- ucted live experimentation with our research prototypes. To do this, we released several prototype systems and capabilities to DoD users, and to the broader public.  Success from these efforts has been reflected in the substantial media coverage of our work.

Here is a Summary of Cyber-TA Reserach in the News:

*  24/25 April 2009: Network World:  Conficker.E to self-destruct on May 5th?
   "We’re starting to see some revenue generation," said Phillip Porras, program director in the computer sciences laboratory at SRI International, in a presentation he gave today at the RSA Conference here concerning Conficker.  "We’re starting to sees ome business models come out of it."  Porras said Conficker.C is involved in an elaborate process to sell fake anti-malware software. When it gets into infected machines, it can direct victims toward Web sites believed to be selling fraudware.  One of those sites appears to be registered in the Ukraine selling the SpywareProtect portfolio, associated with "Ukraine Bastion Trade Group,"  for example, he said.

*  16 April 2009: ComputerWorld: Different Approaches to Removing Malware
   This blog reports that malware (malicious software) seems to be getting worse. According to the article, much of the current crop of malware is sophisticated and defends itself well. To see this up close and personal, the blog advises readers to look at the SRI International Technical Report, an analysis of Conficker's logic and rendezvous points. "It's obvious from the report how much care and effort went into constructing Conficker."

*  13 April 2009: Information Week: Conficker Worm Hits University Of Utah
  This article reports that the Conficker worm managed to infect about 800 computers at the University of Utah last week, prompting the school to block Internet access temporarily to contain the infection. The worm is believed to have gained a foothold on the university's network through an infected USB device, said a spokesman with the university's school of health sciences. The first iteration of the worm, Conficker A, makes an effort to avoid infecting systems in a Ukrainian domain or using a Ukrainian keyboard layout, according to a report by SRI International. This suggests that the creators of the malware may live in that part of the world and may be exempting their home country to avoid attracting attention from local authorities.

*  10 April 2009: Financial Times: Conficker Has Something for Everyone: Scareware and Spam Too
  This article reports that "the Conficker worm, which has enslaved millions of computers worldwide and enraptured the media, finally showed its hand Thursday and proved itself to be all about the money." An undetermined number of infected machines had been updated with new instructions from the worm’s authors during the past week. The updates were delivered from other infected machines in a peer-to-peer methodology. "This is the first information I’ve seen of Conficker being used for profit," said researcher Phillip Porras of SRI International. "It’s too early to speculate on whether it’s cooperative subletting or all in the family."

*  2 April 2009: Information Week: Are We Getting Con-Ficked?
   Conficker was supposed to cause 50,000 PCs around the world to rise up against their human masters on April 1, and since that failed to happen, has been called a hoax and "much ado about nothing."  But neither could be further from the truth. The likes of Ron Rivest and SRI International, which specializes in cybersecurity research, don't work feverishly through the night to find a fix for a figment of someone's imagination.

*  1 April 2009: Network World/InfoWorld/PC World: Conficker D-Day Arrives; Worm Phones Home (Quietly)
   Among security experts, the consensus seems to be that very little will happen Wednesay. This may be in part because of the high amount of publicity Conficker has received, but then again April 1 is not the first time Conficker has been programmed to change the way it operates. Similar trigger dates have already passed with little change, including January 1, according to according to Phil Porras, a program director with SRI International. Security experts at Symantec, the maker of Norton Antivirus, also believe the threat is overblown and says Conficker today will "start taking more steps to protect itself" and "use a communications system that is more difficult for security researchers to interrupt."

*  31 March 2009: Investor’s Business Daily: Most Say Conficker Worm Won't Wreak April 1 Havoc
  This article reports that creators of the complex Conficker worm family now have a potential army of millions of infected computers. Security researchers aren't sure what they'll do or when ­ just that about every step taken to thwart Conficker has been confounded. SRI’s Phil Porras is quoted in the article.

*  31 March 2009: OS News: Conficker Worm: Hoax or Criminally Genius Scheme?
   This article reports that according to a study of the Conficker worm done by SRI International, it contains code that enables "infected computers to act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes." 

*  31 March 2009: PC World: FAQ: What You Need to Know About Conficker -- Right Now
  This article reports that if you can't get to,, and, it's likely you've lost control of your computer to Conficker. According to the article, "The complete list of all 114 domains that the worm blocks can be found in SRI International's excellent analysis of Conficker C."

*  31 March 2009: PC World:  Fears of a Conficker Meltdown Greatly Exaggerated
   April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. "Technically, we will see a new capability, but it complements a capability that already exists," Porras said. Conficker is currently using peer-to-peer file sharing to download updates, he added.
*  31 March 2009: San Francisco Chronicle: Computer worm may turn nasty Wednesday
   "Usually by this time we have a reasonable understanding of what their business model is," said Phillip Porras, program director for SRI International in Menlo Park, who is an authority on the worm. Based on what we've seen from Conficker in the past, Wednesday (12 midnight PDT) should not be a cause for panic and there's no reason to stay off the Internet, Porras said.

*  30 March 2009: Computer World: Fears of a Conficker Meltdown Greatly Exaggerated
   This article reports that April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. The worm has already had several such trigger dates, including January 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm.

*  30 March 2009: The Guardian: Conficker Virus Could Be Deadly Threat - or April Fool's Joke
   This article reports, "It could be the biggest April Fool's joke ever played on the internet, or it could be one of the worst days ever for computers connected to the network." Security experts can't work out whether the Conficker virus --- which has infected more than 10 million Windows PCs worldwide --- will wreak havoc on April 1, or just let the day pass quietly. Others agree that Conficker may not activate immediately, preferring to lie in wait before receiving further orders to avoid scrutiny. "At its core, the main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide," noted Philip Porras of SRI International.

*  27 March 2009: Security Focus: Conficker's capabilities worry researchers
   In their Conficker C Analysis, three researchers at SRI International found that the latest update to the Conficker worm, which started appearing on compromised systems on March 5, changed more than 80 percent of the B-version of the worm's code.  "In the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft," wrote Phillip Porras, Hassen Saidi and Vinod Yegneswaran, all of SRI International. "In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt, not just countries, but the Internet itself."

*  27 March 2009: The Globe and Mail: Experts Try to Beat Vicious Computer Worm
   This article reports that deep within the World Wide Web, there is an undercurrent of potential chaos building ­ a malicious piece of code that has already prompted the French military to ground some fighter planes, and Microsoft to offer $250,000 for information leading to the code's authors. A recent report by SRI International describes the wide spectrum of possible outcomes should Conficker achieve its authors' goals.

*  26 March 2009: The Register (UK): Final countdown to Conficker 'activation' begins
   The most detailed and thorough technical analysis of the worm's behaviour can be found in a paper by SRI International here.  SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.

*  26 March 2009: Wall Street Journal: Conficker: Don’t Believe the Hype
   This blog post reports, You may have heard about Conficker, the rogue computer program that might do something dreadful on April 1. The truth is that the threat posed by Conficker is almost entirely theoretical, and that only a handful of dedicated professionals will notice anything out of the ordinary when that date comes around.  According to SRI International’s Program Director, Phil Porras, "I don’t see anything on April 1 that will cause any significant havoc. The most likely outcome is that the day will pass and no one will have noticed anything."

26 March 2009: PC Magazine: What Will Conficker Bring on April 1?
   This article reports that Conficker has become the boogeyman of the security industry over the last year. The latest variant of the worm, Conficker.C, is programmed to do something on April 1. According to the article, as this very large and thorough analysis of Conficker.C from SRI International says, "...Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day."

*   25 March 2009:  ABC News : Conficker Computer Worm Threatens Chaos
    Who is behind this computer attack? And what do they want from us? Are they trying to bring the world's computers to a halt? Or is the whole thing just some elaborate April Fool's joke?  "It's not an April Fools prank," said Phillip Porras, a program director at SRI International, a major technology research firm. "We don't know much about how Conficker is being used. We are not sure why Conficker was built."

*  25 March 2009:  Information Week:  Malware Controlling Hardware Is Not A Necessity
   Conficker is one recent example. Exploiting a known vulnerability for which there is a patch, Conficker continues to spread and according to analysis by SRI continues to evolve and demonstrates the creators ability to adapt and enhance the malware. Conficker is sophisticated, to be sure, but it's no where near the cutting edge exploit that a BIOS update or SMM rootkit is. Yet, Conficker has much more potential.

*  25 March 2009: Last WatchDog: Countdown to Conficker’s April Fools Day Climax
  This article reports that two according to report published by SRI International last week, the latest update stopped the Conficker computer worm from spreading and, instead, set all infected PCs to work connecting themselves in a vast P2P network, according to SRI program director Phillip Porras.

*   24 March 2009: USA Today: PC security forces face April 1 showdown with Conficker worm
   Such worms largely disappeared after 2004, as Microsoft (MSFT) improved its process for identifying new holes and quickly issuing patches. But last September, Chinese hackers began selling a $37.80 program for tapping into a newly discovered Windows hole on some 800 million machines worldwide, according to SRI International, a non-profit research firm. Conficker also took extraordinary measures to prevent each new bot from being disinfected by Microsoft or antivirus programs, or usurped by a rival botnet group. SRI found, for instance, that Conficker's encryption algorithm came from MIT's Ron Rivest, copied from a recently published research paper.

*  23 March 2009: PC Magazine: Conficker Variants Prompt Debate: Serious, or Not?
   The initial reports (such as this one) on "Conficker.B++" noted two new techniques for downloading new software, but didn't detail them at all. The researchers at SRI who found the new variant wrote a detailed explanation of it (and earlier variants).   As the SRI report says, clearly the Conficker authors are trying to get around the DNS changes limiting their distribution capability, but it remains to be seen if B++ will do that. To quote the Microsoft report "[t]his change may allow the author to distribute malware to machines infected with this new variant...However, there doesn't appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant."

22 March 2009: Red Orbit: Experts Team Up To Battle Conficker Botnet
  This article reports that some of the world’s top computer security experts are fighting a spectacular cat-and-mouse battle with the brazen creator of a malicious software program known as Conficker, according to a New York Times report. The article references a new report released by SRI International that finds that Conficker C constitutes a major rewrite of the original code.  In addition to making it far more difficult to block communication with the program, it has additional capability to disable many commercial antivirus programs and Microsoft’s security update features."Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm," wrote the report’s author Phillip Porras, a research director at SRI International.

21 March 2009: SlashDot: Researchers Ponder Conficker's April Fool's Activation Date
  This article reports that John Markoff has a story in the New York Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign ­ an April Fool's Day prank ­ to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions.

* 19 March 2009: Bits.NYTimes.Com: The Conficker Worm: April Fool’s Joke or Unthinkable Disaster?
   According to a research addendum to be added Thursday to an earlier paper by researchers at SRI International, in the Conficker C version of the program, the infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes.

*  18 March 2009:  NY Times:  Computer Experts Unite to Hunt Worm
    A report scheduled to be released Thursday by SRI International, a nonprofit research institute in Menlo Park, Calif., says that Conficker C constitutes a major rewrite of the software. Not only does it make it far more difficult to block communication with the program, but it gives the program added powers to disable many commercial antivirus programs as well as Microsoft's security update features.   “Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm,” said Phillip Porras, a research director at SRI International and one of the authors of the report. “Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft.” “In the worst case,” Mr. Porras said, “Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.”

*  13 March 2009:  The Tech Herald: Conficker Worm fighting back - new variant disables security measures
    Last month, SRI International reported about new code in the variant of Conficker named B++, that foreshadowed the possibility that the Worm’s authors were looking for ways to fight the researchers. “Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach,” the SRI research stated.

*  09 March 2009: 
Security Focus: Conficker update attempts to foil Cabal
   First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.  Companies that monitor the domain names generated by infected computers have found about 3 million IP addresses contacting the domains each day, a level that seems to be stable over the last two weeks.

*  23 February 2009:  CNET: New Variant of Conficker Worm Circulates

   This article reports that a new variant of the Conficker Internet worm is circulating that could allow an attacker to distribute malware to infected machines, the US-CERT organization warned. The article mentions that according to an SRI technical report, previous versions of Conficker have been busy. Conficker A has affected more than 4.7 million IP addresses, while its successor, Conficker B, has affected 6.7 million IP addresses, with infected hosts totaling fewer than 4 million computers for both. 

*   23 February 2009:  PC Magazine: Conficker Variants Prompt Debate: Serious, or Not?
    This article reports that there's a new variant of the Conficker worm, but there's some dispute over how serious a problem it is. According to the article, the initial reports on "Conficker B++" noted two new techniques for downloading new software, but didn't detail them at all. The researchers at SRI who found the new variant wrote a detailed explanation of it (and earlier variants).

*    23 February 2009: New York Times: New Version of Malicious Computer Program is Released
   This article reports that the author or authors of a malicious software program that has infected more than 12 million computers since it was released last fall have begun distributing a new version of the program after computer security teams crippled the original’s ability to do damage. The new version, known as Conficker B++, was spotted by security researchers at SRI International, who reported last week that the software was an effort by cybercriminals to find a new way to communicate with their programs after they had succeeded in infecting target computers.

*    23 February 2009: The Register: Conficker Variant Dispenses with Need to Phone Home
    This article reports that virus authors have released a new variant of the infamous Conficker (Downadup) worm with enhanced auto-update features. According to the article, “Conficker B++ is somewhat similar to Conficker B, with 294 of 297 sub-routines the same and 39 additional subroutines. The latest variant, first spotted on 16 February, is even more sneaky than its previous incarnations, SRI explains”.

*   21 February 2009: Indian News Center: New Conficker Variant Emerges
    This article reports that a new variant of the Conficker, or Downadup, worm has emerged, and researchers believe it has been designed to neutralize the efforts of an industry coalition that is trying to prevent infected machines from receiving additional instructions or code updates, according to a report this week from nonprofit research institute SRI International.

*   2/19/2009: PC World:  Monitor Botnet Threats Your Antivirus Can't See
   While traditional security software typically only inspects incoming communication and downloads for malware, a free security tool. BotHunter instead correlates the two-way communication between vulnerable computers and hackers. BotHunter "flips the security paradigm" by focusing on the egress, says Phillip Porras, a computer security expert at SRI International and one of its creators.

*    2/13/2009: Security Focus:  Cabal Forms to Fight Conficker, Offers Bounty
     Conficker, also known as Downadup and Kido, has surprised many security experts with its success in propagating across the Internet. First discovered in November 2008, the worm has infected at least 11.4 million computer systems, according to a census of compromised Internet addresses carried out by SRI International.

*   2/13/2009: Washington Post:  Cyber Security Community Joins Forces to Defeat Conficker Worm
    Phillip Porras, director of the computer security lab at SRI International, also began tracking Conficker domains in late November. Porras and his team learned they could determine sets of domains sought by Conficker host systems in the past or the future, merely by rolling back or forward the system date setting on Microsoft Windows systems that they had purposesly infected in their test lab. As Porras's group began building lists of domains sought by Conficker that had already been registered, they found hundreds that traced back to security researchers and anti-virus companies.

*    1/23/2009: PC World/Network World:   Conficker Hitting Hardest in Asia, Latin America
     Phil Porras, program director at SRI International, said the worm has hit China, Brazil, Russia and Argentina the hardest. Interestingly, an earlier variant of Conficker would not attack victims who were using Ukrainian keyboards, but the latest version of the worm does. Huger said the worm's designer has written special code that operates a certain way on Chinese and Brazilian networks, meaning those two countries may have been targeted by the attackers. Nobody knows for sure why Asia and Latin America were so hard hit, but Huger and Porras both said countries with large amounts of pirated software were more likely to be affected. "I think that piracy plays a role, though I don't know if it's the key contributor," Huger said.

*   1/23/2009:  New York Times:  Worm Infects Millions of Computers Worldwide
    One intriguing clue left by the malware authors is that the first version of the program checked to see if the computer had a Ukrainian keyboard layout. If it found it had such a keyboard, it would not infect the machine, according to Phillip Porras, a security investigator at SRI International who has disassembled the program to determine how it functioned.

*   1/23/2009: MIT Technology Review:   Why a "Good" Worm May be a Bad Idea
   Analysis of the worm shows how this might work. Since the worm is programmed to contact a specific set of web addresses and wait to receive further code, hijacking these addresses could squish the worm before it does much damage. Phillip Porras a researcher at SRI international, who has been studying the spread of Conficker, says that some of the domains linked with the worm have already been registered by "white hat" hackers. These well-intentioned experts might be hoping to simply prevent the worm from receiving further commands, or they might be looking for a way to inject their own viral code into the Conficker network.

*    30 Dec 2008: ZDNet Asia: Highly predictive blacklists: What, how, and caveats
    One way to prevent unwanted access to or intrusion from known problem sites is configuration of firewall packet filters, based on IP address blacklists. However, general blacklisting is not always efficient. To enable organizations to be more proactive, and minimize firewall processor allocation for blacklist filtering, SRI International and the SANS Institute have developed highly predictive blacklists (HPB).

*    22 Dec 2008:  Use BotHunter for Botnet Detection
     The biggest threat is usually the one you don't see. If the IDS is quiet and all seems well, maybe the smartest adversaries are simply working under the radar, perhaps using one of their favorite tools: botnets. Botnets, typically run for profit, consist of thousands of compromised computers running malicious code under the control of an unseen botnet operator; a bot infection may occur from opening a poisoned email or visiting a poisoned Web page containing surreptitious malicious code.  This is why BotHunter was created.

*    9 Dec 2008: USA Today Tech Blog:   Slam Online Holiday Scams
     This article reports that online bad guys are out in force this holiday season, looking to sneak on to your PC. They hope to gain control and pull your computer into a bot network that uses your computer to compromise other PCs, spread spam and carry out denial of service attacks. They also often steal sensitive data, allowing them to access your credit cards, online banking or stock trading accounts, and your company's databases. According to the article, Phil Porras at SRI International also deserves kudos for recently releasing BotHunter, a free software tool that helps system administrators detect bot network activity within their corporate networks.

*    5 Dec 2008: The New York Times:  Thieves Winning Online War
    Internet security is broken, and nobody seems to know quite how to fix it. Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught...  ``To me it feels like job security,'' said Phillip Porras, an SRI program director and the computer security expert who led the design of the company's BotHunter program, available free at

*    5 Dec 2008: The Tech Herald:  Bot Hunting with BotHunter
    A new tool from SRI International will help home users and network administrators detect botnet activity on their home networks.  The tool, BotHunter, is free and works on Windows, Mac, and Linux driven systems.

*     1 Dec 2008: Collection Technology:  Free Application from U.S. Army Helps Unearth Malware
    There is a new downloadable malware-detection tool in town. And it's free. BotHunter, sponsored by the U.S. Army Research Office and developed by research and technology organization SRI International, helps to discover bots, malicious programs that aim to make fraudulent use of computers. The tool was released last week. BotHunter is described as ``a passive network monitoring tool designed to recognize the communication patterns of malware-infected computers within your network perimeter.'' What sets it apart from other devices is it looks for malware activity in both incoming and outgoing data.

*    Nov 2008: Information Week:  U.S. Army Goes Bot Hunting
    Most people whose computers have been turned into bots and linked to a botnet have no idea that their machines have been commandeered by cybercriminals. Their PCs send spam, steal information, and participate in denial-of-service attacks without any obvious sign. But new software, funded by a grant from the U.S. Army Research Office and developed by SRI International, promises to provide users with more insight into what their computers are doing.

*    Nov 2008: Federal News Radio:  Fighting Malicious Code: BotHunter Interview
     URL: Segment1.mp3:
    A 14-minute interview over two segments, on Washington DC Talk Radio 1500 AM.  WTOP is the most listened to radio station in the Washington, D.C. metro area.  Phil Porras did an interview to discuss BotHunter on Tom Temin's show, Federal Security Spotlight.  The show ran on Thursday, December 4th.

*     Nov 2008: SC Magazine: New Free Tool Detects Malware on Networks
     A new tool is being used within the U.S. government and the Department of Defense to fight malware on their networks.  The free, downloadable malware-detection tool, called BotHunter, was sponsored by the U.S. Army Research Office, and there have been 35,000 downloads so far, Phillip Porras, program director of enterprise and infrastructure security at SRI International, a research and technology organization, and lead developer of the BotHunter project, told Tuesday.

*   Nov 2008: PC World: Top 10 Wicked Cool Algorithms!
     This article includes a round-up of interesting algorithms and looks at how they impact the community. Number nine on the list is blacklisting system architecture. According to the article, ``Using blacklists to prevent spammers or other malware distributors is nothing new. But researchers at SRI International and SANS Institute want to take such lists a bit further. Their system produces customized blacklists for individuals who choose to contribute data to a centralized log-sharing infrastructure. The ranking scheme measures how closely related an attack source is to a contributor, using that attacker's history and the contributor's recent log production patterns. The researchers said their ultimate goal is to yield individualized blacklists that not only produce significantly higher hit rates, but that also incorporate source addresses that pose the greatest potential threat.''

*     Nov 2008: Security Focus: BotHunter Aims to Find Bots for Free
     Technology research firm SRI International released a free software tool on Monday to help system administrators detect botnet activity within their network. The program, called BotHunter, monitors the inside of a network to detect the two-way communications flows that are common between computers compromised by bot software and the command-and-control (C\&C) server that is used to send commands to each infected machine. ``The software keeps tabs on the suspicious requests and responses, which SRI International calls dialog events, and compares them with patterns of known bot software,'' said Phillip Porras, a Program Director at  SRI International.

*    Nov 2008: U.S. Army in the Anti-Malware Biz - for Free
   You know for all we as individuals complain about viruses, trojans and other such nasties imagine how it must be for government agencies where people don't care for the most part about what lands on their machines. This has proven to be enough of a problem I guess that the U.S. Army through its Research Office has gotten into fighting malware on its own instead of using off the shelf solutions.

*    Nov 2008: TechTarget: Free Security Tool Helps Track down Bots
    Researchers at SRI International announced a free tool this week that can help organizations battle botnets by tracking down infected hosts in their network. BotHunter monitors the two-way communication flows between compromised computers and external attackers and develops an evidence trail to identify botnet activity. The tool has a correlation engine that uses a customized version of Snort to track inbound scanning, outbound propagation and other activity that happens during the infection process.

*    Nov 2008: Tech Republic: Highly Predictive Blacklists: What, How, & Caveats
     General blacklisting is not always efficient.  To enable organizations to be more proactive, and minimize firewall processor allocation for blacklist filtering, SRI International and the SANS Institute have developed highly predictive blacklists (HPB), creating a blacklist unique to each participant.

*   Nov 2008:  US Army Research Office's BotHunter
    A free malware-detector called BotHunter, sponsored by the US Army Research Office, “works so well that it has even found infected Mac computers, much to the embarrassment of the Mac owners who, of course, swear that their computers cannot be infected with bots,” SC Magazine quotes Marcus Sachs, director at SANS Internet Storm Center, as saying. And there have been 35,000 downloads so far, the story has Phillip Porras, program director of enterprise and infrastructure security at SRI International, a research and technology organization, and lead developer of the BotHunter project, saying.

*    Nov 2008: IEEE Computer Magazine: New Blacklisting Technique Improves Network Security
     PDF Here:
     Researchers have developed an algorithm that generates useful blacklists for networks by taking information from victims of past network attacks and predicting which hacker sites are likely to target specific networks in the future.

*    Nov 2008: Heise Security:  BotHunter Tracks Down Zombie PCs on a LAN
English Version:
German Version:
      The developers of botnet-tracking tool BotHunter have added several new features in Version 1.0.1 to help you track down bots on your own LAN even faster and more reliably. A dynamic update service is included that automatically passes new rules and blacklists to BotHunter, and a graphical interface to display any infected PCs.

*    Nov 2008: WinFuture - Windows Online Magazine:  BotHunter Soll Zombie Rechner im LAN enttarnen
     Der Software-Hersteller SRI International hat eine neue Version seines Tools BotHunter veroffentlicht. Dieses soll in lokalen Netzen Rechner identifizieren, die einem BotNetz angehoren.

*     Nov 2008:  Weiner Zeitung: Software gegen Zombies
    Bis zu 10 Millionen Zombies sind weltweit aktiv. Diese Computer horen nicht auf ihre Besitzer, sondern auf kriminelle Hintermanner, die manchmal uber ganze Herden von Zombies verfugen. Sie benutzen sie, um Spam zu verschicken, Server zu attackieren oder Accounts auszuspionieren.

*    07 July 2008:  ZDNet: Researchers Borrow from Google PageRank for Network Defense Service
     Using a link analysis algorithm similar to Google PageRank, researchers at the SANS Institute and SRI International have created a new Internet network defense service that completely revamps the way network blacklists are formulated and distributed.  The service, called Highly Predictive Blacklisting (.pdf), will be unveiled next week at the Usenix 17th Usenix Security Symposium.  An experimental version is currently available for free to all DShield contributors.

*    July 2008:  Security Focus: Attackers' Behavior Builds Better Blacklists
     Computer scientists from SRI International and the SANS Institute plan to present a paper next week on a technique that correlates an attacker's preference for victims' networks as a way to prioritize additions to a blacklist. The technique, dubbed ``highly predictive blacklists,'' allows network owners to correlate attacks on their network with attackers' preferences for other networks.

*    July 2008: Internet Blacklisting Tool Unveiled
    Security researchers have taken a page out of Google's book in reinventing the blacklist, a tool for blocking internet attacks.  At this week's 17th Usenix Security Symposium, researchers from the Sans Institute and SRI International will present the results of their experiments with ``highly predictive blacklisting'' (HPB), a service that tailors blacklists for particular networks using an approach similar to Google's PageRank.

*   July 2008: Arc Technica:  PageRank-like Algorithm Creates Predictive Malware Blacklist
     It's easy to create a blacklist of sites that have initiated malware attacks on a server, and use that to configure a firewall to prevent further problems. But these blacklists are purely retrospective, since sources only appear in the blacklist after attacks have occurred. The DShield project is an attempt to improve upon this. System administrators can upload their firewall logs, which are then processed to identify sources of malware, allowing them to be blacklisted on servers they haven't attacked yet. Some computer scientists have now used the information present in DShield to make predictions of future attacks for specific servers based on the fact that malware displays some network effects.

*    July 2008: TechTarget: Researchers Reveal New Blacklisting Method
     Researchers unveiled a new approach to Internet blacklisting that promises to protect corporate networks from malicious attackers better than traditional blacklist methods. The service, called highly predictive blacklisting (HPB), was introduced at the USENIX Security Symposium in San Jose by Jian Zhang, Phillip Porras, program director at SRI International, and Johannes Ullrich, chief research officer at the SANS Institute.

*    20 May 2008: Government Computer News: Army Aims to Take Guesswork Out of Cyberdefense
     The Army Research Office (ARO) is funding work by a consortium of private companies to develop predictive technologies that could improve the efficiency of cybersecurity tools.  The idea is to create a global system to gather and correlate security events, giving users early warning about coming attacks and aiding in the configuration of sensors, filters and other devices that detect and respond to these events, said Livio Ricciulli, chief scientist at MetaFlows, of Redlands, Calif.  MetaFlows is a member of the Cyber-Threat Analytics (Cyber-TA) project, funded by ARO. The goal of this program is a commercial service that could be used to help program security devices.  ``Obviously, there is a heavy focus on making it meet Army requirements as well,'' Ricciulli said. ``But there definitely is a commercial component.''

*   April 2008: Secuity Focus: Storm, Nugache Lead Dangerous New Botnet Barrage
    ``If you look at the way [Storm] is used, it's clear that money is changing hands and that the software has gone through a testing and revision process,'' said Phillip Porras, a program director at SRI International, who has studied Storm's behaviour. "The botnet is out there to help some group of people make money. This kind of malware is an economy now. Storm is not meant to spread across the entire Internet. It's meant to compromise specific targets. It's a network that is very good at producing money."

*   10 October 2007:  KGO Radio Interview: BotHunter Radio Interview
     URL: Audio -
     Bay Area AM Radio.

*   08 October 2007: KTVU Channel 2 News:  Interview - BotHunter
     URL: Video -
     A 4-minute BotHunter Television Interview.  Bay Area Channel 2 News at 5.

*    8 October 2007:  San Francisco Chronicle:  Techies Take on Spam Zombies
     Computer scientists in Menlo Park are releasing a free diagnostic program today to help network administrators find PCs infected with an insidious new type of virus that has already tainted millions of computers and used them to generate billions of spam e-mails.

*     September 2007:  Microsoft Certified Professional Magazine: Free Tool Hunts Bots
     A ``dialog-correlation-based'' tool called BotHunter has been released free to the Internet. BotHunter attempts to correlate network traffic patterns to identify likely bot-controlled systems within your network. The tool is the result of the Cyber-Threat Analytics research project. BotHunter runs on several different Linux platforms. Truly an excellent idea and well worth investigating. It is difficult to say whether this will become a standard feature of networks in the future, especially given that there is a patent pending on the ``dialog-correlation-based'' feature.

*     28 September 2007:  ComputerWorld:  Cool Tools for Hacker
     If you want to keep up with the latest criminal exploits without having to collect malware yourself, take a look at SRI International's Cyber-Threat Analytics BotHunter Malware Analysis Web page.  Reporting on information and statistics collected from a research honeynet, the BotHunter Malware Analysis page makes daily infection logs from high-interaction honeypots available for anyone to view. Although the scale of the project and information collected is fairly small, this is a useful site for gaining more insight into crimeware and the world of bots.