Defense Robot – The breakthrough innovation for the cybersecurity market
Eniko Toth

Defense Robot – The breakthrough innovation for the cybersecurity market

Are you tired of the never-ending malware infections? Would you like to get rid of the nightmare of the long hours spent troubleshooting? Do you still seem to get repeatedly infected regardless of how often you make malware removals? It’s enough of the reactive protection!

The old way

What would usually happen when a server became infected? People had to buy special security tools, which had really high prices to find malware. If it succeeded, the sysadmins had to spend plenty of hours (or in worse cases several days) to remove the malware. The other option was to pay for someone to do the system cleaning instead of you, but again it also required money. Malware removal can even cost 180 USD for only one domain.

Ok, yes the malware was removed but what guarantees that it won’t happen again? If someone could upload an infected file why would she/he not try it again? Only removing the malware will not fix the problem itself because it means there is a weak point in your system. So it’ll only take a little time for this point to be found by other hackers too.

So, what came next to avoid further infections? Finding the backdoor and the attacker's IP, then blocking it. Our web hosting company had a well-working procedure for doing this, but it still required time from our sysadmins. Eventually, we had enough of it, so we thought a big and developed a breakthrough feature.

The BitNinja way

We wanted to have a more comprehensive and automated tool, so we made it. The BitNinja Defense Robot is the only one real-time malware root cause analysis solution on the market. This module identifies backdoors and attacking IPs at each malware upload attempts. It doesn’t require any manual intervention. Instead, the Defense Robot will auto-greylist the attack source and set up customized WAF patterns, so the hacker won’t have the opportunity to upload a malware again.

We brought a brand-new concept to the market with our Defense Robot, which will not only harden your defense shield, but it also saves you time and money.

Automatized best practices

Let’s see how the Defense Robot grants you powerful security by the co-operation of 4 active protection modules.

1. Malware Detection

If the Malware Detection module is enabled on your servers, it’ll monitor the file changes. If there is a malware upload attempt, the file will be quarantined, and the module will alert the Defense Robot.

2. Log Analysis (a.k.a SenseLog)

Here is the step when the Defense Robot identifies the date of the attack and the source IP helped by our SenseLog module.

Logfilter methods:

  • Time window: The Defense Robot will check the log lines related to the malware upload within the configured time window, which is 30 seconds before the malware is changed. We use the ctime to identify the time of the malware upload, as it can not be modified despite the mtime.
  • Loglines related to any private IP addresses will be ignored.
  • If a malware upload occurs on HTTP, it’ll be a POST request, so GET requests can be ignored at this step.
  • The log lines will be read from the end, which provides a quicker process. As the malware upload is a fresh action at the point of the examination, it’ll be within some of the latest logs. What’s more, if the Defense Robot would try to locate the appropriate logline from the beginning, it would take a lot of time if there is no log rotation.

After these filtering procedures, there should be only 1 logline, which contains the attacker’s public IP and the path where the malware was uploaded. What will happen with this piece of information?

3. IP Reputation

The malicious IP address will be automatically added to the global greylist, so it won’t be able to connect your servers as well as all the other BitNinja protected servers.

4. WAF

After the log filtration, we will also know the path of the malware upload attempt, so we can automatically honeypotify the abused domain/URI. It means that another malware upload cannot happen in the same path. It’s an upcoming feature which will be implemented soon.

(Another option that’s also coming soon: control panel/FTP user password will be changed automatically, then the hackers won’t be able to access your servers via that account.)


Check out our documentation site, if you need more technical details.

Detailed event correlation info

The Defense Robot will create BL_BN_LOG incident type, what you can find in the Dashboard. Simply go to the Network Attacks menu and list this kind of attack:


Search for those logs, which contain the DefenseRobot ID line. Here is an example:

There will also be a new folder created at: /var/log/bitninja/correlations/YYYY/MM/DD/hh_mm_uniqid

In this folder, you’ll find all the details such as:

  • IP address
  • affected domain
  • affected user
  • uploaded malware
  • collected logs

Coming soon: The correlation information will be available under the Infected files menu. So you’ll also be able to access all the necessary information on the Dashboard.

Enjoy the real-time, automated malware root cause analysis

After we carefully tested the Defense Robot on our servers, we offered a selected closed group the chance to join us and be a part of the testing stage. Over the past few weeks we received extremely great results, so now we have made this feature available for everyone who uses the BitNinja Pro.

From the 1.27.3 agent version, the Defense Robot is enabled by default, so you no longer have to deal with investigating and blocking the source of the malware infection anymore; this module will do it automatically rather than you having to do it manually.

Let’s take your server security to a new level and enjoy this unique, innovative protection system with BitNinja Pro.

Share your ideas with us about this article

Previous posts

BitNinja WAF protects against the latest Drupal vulnerability (CVE-2019-6340)
The social media and the cybersecurity sites were blowing up when Drupal published their latest vulnerability (SA-CORE-2019-003). It’s not a surprise that this remote code execution vulnerability got a highly critical label, as hackers could easily hack your Drupal 8 websites. But BitNinja users shouldn’t have to worry for any minute, as they were protected by our WAF from the very beginning of this RCE flaw. We have already seen some attempts caught by the rule 933170, so hackers didn’t wait a lot to exploit the CVE-2019-6340. How are hackers trying to exploit the latest Drupal vulnerab...
GXHLGSL.txt file uploader botnet –Discovered by BitNinja FtpCaptcha
At the beginning of the year we released our brand-new FtpCaptcha module, and of course, we were so excited about receiving the first incidents. However, we didn’t think that the very first logs will be such eye-catching. We detected a not so well-known botnet, and we didn’t find an article about it (only a few forum topics), so we summarized everything that you need to know about it. Test the ability to upload a file This botnet is trying to upload a file named GXHLGSL.txt, which contains only this: TEST. If it was a vulnerability scanner, there would provide some description about it o...