botsnoopd is a project I have now been working on for quite some time. Initially, it was invented as a replacement for the ShadowServer's snoop infrastructure. But now that I was so slow and they put so much effort into their Perl script, it seems they want to keep it. So we're now going to use this in the mwcollect Alliance.
We are going to have a three tier approach consisting of
- nepenthes / other G.O.T.E.K. inputs
- CWSandbox / Norman Sandbox / other analysis devices
to efficiently catch and collect malware, analyse it in regards of extracting botnet C&C information and then finally sniff the bot herders' commands and store them.
Although it seems there were some rumors on the Virus Bulletin 2006 hallways that botsnoopd has been publically released, that is definitely not true. People might have been refering to a presentation we have been giving at Blackhat: Georg Wicherski & Thorsten Holz: «Catching Malware to Detect, Track and Mitigate Botnets». botsnoopd is not finished software yet and as new transport protocols for C&C emerge, new modules will be created (it's the same story as with nepenthes).
It is not our plan to ever publically release it anyway, since it might be a powerful tool for bot herders as well, the current idea is to release it as opensource to selected parties under a NDA.