Distributed systems and methods for automatically detecting unknown bots and botnets

What is claimed is: 1. A computer implemented method for detecting callbacks from malicious code, comprising: A) local analyzers including a first local analyzer and a second local analyzer, the first local analyzer capturing packets of outbound communications, generating a signature from header information obtained from each of the captured packets, determining whether the signature matches a stored signature within a local signature cache, and, if a match is not found, analyzing the captured packet associated with the signature, including performing deep packet inspection; and B) a central analyzer receiving at least the signature and results of analysis associated with the captured packet from the first local analyzer; determining whether the signature matches a callback signature stored within a global signature cache; and coordinating, when the signature matches the callback signature, a sharing of the signature with the second local analyzer; and, when the signature fails to match any callback signature in the global signature cache, (i) performing an analysis on information contained in the captured packet; (ii) generating a callback probability score associated with the captured packet; (iii) declaring the captured packet having the callback probability score exceeding a predetermined threshold as associated with callbacks; and (iv) storing a designation of malware status with the signature associated with the captured packet having the callback probability score exceeding the predetermined threshold in the global signature cache. 2. A computer implemented method for detecting callbacks from malicious code, comprising: A) performing, by a local analyzer, (i) signature matching of a generated header signature, based on information from a header obtained from a captured packet of a plurality of captured packets, against a plurality of packet header signatures corresponding to verified callbacks stored in a local cache, and (ii) first stage filtering of the header to detect whether the header corresponds to a suspect header upon detecting that the header includes header anomalies; and B) performing, by a central analyzer, (i) signature matching of the header signature for the suspect header received from the local analyzer against a plurality of header signatures corresponding to verified callbacks stored in a central cache, (ii) second stage filtering of the suspect header to detect suspicious characteristics associated with the suspect header, the suspect header detected to have suspicious characteristics being a suspicious suspect header, (iii) generating a probability score based on the suspicious characteristics for each of the suspicious suspect header, (iv) comparing the probability score with a threshold to verify whether the suspicious suspect header corresponds to a callback, and (v) storing the header signature of the suspicious suspect header verified as corresponding to a callback in the central cache, and sending a message to the local analyzer to update the local cache. 3. A computer implemented method performed by a local analyzer for detecting callbacks from malicious code, the local analyzer comprises one or more processors and software stored in a memory accessible to the one or more processors, and is configured for communications over a network with a central analyzer, the method comprising: A) generating a header signature based on information from a header obtained from a captured packet of a plurality of captured packets; B) signature matching of the header signature against a plurality of packet header signatures corresponding to verified callbacks stored in a local cache of the local analyzer; C) responsive to the header signature corresponding to none of the plurality of packet header signatures, performing a first stage filtering of the captured packet headers of the plurality of captured packets to detect whether the captured packet header includes with header anomalies, the captured packet header identified as having header anomalies being a suspect header; D) sending the suspect header and the header signature to the central analyzer, and receiving from the central analyzer a message providing information for the suspect header verified through a second stage filtering by the central analyzer as corresponding to a callback; and E) updating the local cache with the information received from the central analyzer, thereby storing in the local cache an updated listing for the plurality of packet header signatures corresponding to verified callbacks. 4. The computer implemented method of claim 3 , wherein the generating of the header signature comprises generating a header signature from a partially masked header. 5. The computer implemented method of claim 3 , further comprising issuing an alert in the event the signature matching of the header signature against the plurality of packet header signatures results in a match; and performing the sending of the suspect header and the updating of the local cache in response to the signature matching of the header signature does not result in a match. 6. The computer implemented method of claim 3 , wherein the first stage filtering comprises performing a dark IP address analysis on the suspect headers that identifies suspicious destination IP addresses contained within fields of the suspect headers. 7. The computer implemented method of claim 3 , wherein the first stage filtering comprises performing a dark analysis on the suspect headers that identifies suspicious domain identifiers contained within fields of the suspect headers. 8. The computer implemented method of claim 3 , wherein the performing of the first stage filtering of the captured packet headers to detect the captured packet header includes header anomalies comprises determining whether the captured packet header is non-compliant with a communication protocol. 9. A computer implemented method performed by a central analyzer for detecting callbacks from malicious code, the central analyzer configured for communication over a network with a plurality of local analyzers, the method comprising: A) receiving information identifying anomalies within a plurality of suspect headers from a local analyzer; B) comparing a header signature for each of the plurality of suspect headers received from the local analyzer against a plurality of header signatures corresponding to verified callbacks stored in a global cache associated with central analyzer; C) conducting an analysis of each of the plurality of suspect headers to detect whether any of the plurality of suspect headers has at least one suspicious attribute, the suspect headers detected to have suspicious attributes being suspicious suspect headers; D) verifying whether any of suspicious suspect headers correspond to callbacks, wherein the verifying comprises generating a probability score based on the anomalies and the at least one suspicious attribute for each of the suspicious suspect headers, and comparing the probability score with a threshold in determining whether any of the suspicious suspect headers should be classified as a callback; E) storing the header signatures of the suspicious suspect headers verified as corresponding to callbacks in the global cache; and F) sending a message to the local analyzer containing information with respect to the suspicious suspect headers verified as corresponding to callbacks. 10. The computer implemented method of claim 9 , wherein the analysis of each of the plurality of suspect headers comprises conducting a second stage filtering that comprises performing an on-line host reputation analysis based on the plurality of suspect headers. 11. The computer imp