Security of Czech army information and communication systems - On-line monitoring, Visualization and Packet Filtration. Computer Incident Response Capability Development in the Cyber Defence EnvironmentChuck Norris botnet analysis

Botnet analysis

Chuck Norris botnet is Linux malware that attacks Linux MIPS devices, usually ADSL modems and routers discovered at Masaryk University at the end of 2009. The main threat of this botnet is the fact these devices have access to all user network traffic and since it attacks network infrastructure it is hard to be detected.

Chuck Norris botnet (slides for European Conference on Computer Network Defense 2010, Berlin, Germany)

link to a new windowAn Analysis of the Chuck Norris Botnet 2 (technical report, published March 8th, 2011)

New:link to a new windowRevealing Botnets Using Network Traffic Statistics (slides for Security and Protection of Information 2011, Brno, Czech Republic)

Chuck Norris in news



Detection tool

The detection tool named cndet is link to a new windowNfSen plugin. It identifies malware from NetFlow data using several detection patterns of botnet's behaviour. It detects infected devices in local network as well as monitors botnet activity outside the local network (by observing incoming attempts).

Presentation of the detection module (FloCon 2011, Salt Lake City, USA)

link to a new windowPresentation of detection methods (78th IETF meeting, Maastricht, The Netherlands)


cndet screenshot