With the rapid development of computer technology and the growth of the Internet, methods of hacking attack are increasingly diverse. Of which botnet combined of technology and characteristics of computer viruses, worms and Trojan horses. It can be said that a masterpiece of malware This study attempts to use a different point of view, through the host port state changes observed as a trigger, and the relevance of time to drive the tracing module, behavior analysis module and NetFlow event module. Proposed a hybrid botnet malware detection framework based on port monitor, which is able to quickly and effectively diagnose and take corresponding defensive measures in the initial infection.