— This paper studies the analysis on the Cyber Clean Center (CCC) Data Set 2009, consisting of raw packets captured more than 90 independent honeypots, in order for detecting behavior of downloads and the port-scans. The analyses show that some new features of the coordinated attacks performed by Botnet, e.g., some particular strings contained in packets in downloading malwares, and the common patterns in downloading malwares from distributed servers. Based on the analysis, the paper proposes the heuristic techniques for detection of malwares made by Botnet coordinated attack and reports the accuracy of the proposed heuristics. The detection process is automated in the proposed decision tree consisting of statistics, such as, a number of total inbound packets, and an average rate of downloading malwares.