ThreatSTOP Blog

New and Improved Botnet Feeds

Written by threatstop | March 15, 2012

ThreatSTOP has improved our botnet block list by adding a number of C&C servers and DNS servers for botnets that have been taken down by law enforcement. This includes the conficker C&C sinkhole servers (see http://www.confickerworkinggroup.org/wiki/ ) and the IP addresses that the DNS Changer botnet used as DNS servers when redirecting DNS on infected computers (see http://dcwg.org ). These have been added to both the botnets feed and to respective expert mode feeds - sinkhole and DNS changer. We have added these feeds as a service to our subscribers to help them identify computers on their networks that are still infected by these forms of malware as by blocking these addresses on the NAT device makes it easy to identify the infected internal host from its IP address.

For the other sinkholed malware (generally conficker), it looks like this:

In addition we have also added a new source of derived botnet data from Cyber TA. This new source adds about another 200 currently active C&C hosts as well as providing cross correlation of a number of other addresses that show up in other sources. This list is available as an individual feed for expert users (CyberTA-Botnet) as it has some known false positives in it.