<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>ThreatSTOP has improved our botnet block list by adding a number of C&amp;C servers and DNS servers for botnets that have been taken down by law enforcement. This includes the conficker C&amp;C sinkhole servers (see <a href="http://www.confickerworkinggroup.org/wiki/">http://www.confickerworkinggroup.org/wiki/</a> ) and the IP addresses that the DNS Changer botnet used as DNS servers when redirecting DNS on infected computers (see <a href="http://dcwg.org">http://dcwg.org</a> ). These have been added to both the botnets feed and to respective expert mode feeds - sinkhole and DNS changer. We have added these feeds as a service to our subscribers to help them identify computers on their networks that are still infected by these forms of malware as by blocking these addresses on the NAT device makes it easy to identify the infected internal host from its IP address.</p> <!--more--> <p>For the other sinkholed malware (generally conficker), it looks like this:</p> <p><a href="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/confickereg-1.png"><img class="aligncenter size-full wp-image-509" title="Conficker example" src="http://cdn2.hubspot.net/hubfs/2548414/Imported_Blog_Media/confickereg-1.png" alt="Conficker example" width="500" height="73"></a></p> <p>In addition we have also added a new source of derived botnet data from Cyber TA. This new source adds about another 200 currently active C&amp;C hosts as well as providing cross correlation of a number of other addresses that show up in other sources. This list is available as an individual feed for expert users (CyberTA-Botnet) as it has some known false positives in it.</p></span>