Spamhaus Q2 Botnet Threat Report – Update !
* This data is available to protect your users and improve your Security / Network / Email systems
SecurityZones provides commercial access to the Spamhaus threat intelligence feeds including their Botnet Controller List. Spamhaus is a 21 year-old cyber research organization, and a Global Authority on Botnet data. Please contact us for further information on our threat intelligence data-sets.
Spamhaus Botnet Command & Controller Black List (BCL)
The Spamhaus Botnet Controller List (“BCL”) is a specialized subset of the Spamhaus Block List (SBL), an advisory “drop all traffic” list consisting of single IPv4 addresses, used by cybercriminals to control infected computers (bots). BCL does not contain any subnets or CIDR prefixes larger than /32. The BCL data-set is updated every 5 minuets.
- The server hosted at the IP address is used to control computers that are infected with malware.
- The server hosted at the IP address is operated with malicious intent. In other words, the server is operated by cybercriminals for the exclusive purpose of hosting a botnet C&C server.
The aim of the BCL is to prevent communication between botnet controllers and any bots on a network. The result is that botnet operators are unable to contact any bots on a network and therefore cannot receive stolen information or give bots instructions. This prevents loss of sensitive information that can be used in identity theft and use of bots on a network to spam or commit crimes.
Size and Mutability
- Typically the BCL contains a few hundred IP addresses with relatively low mutability.
- RSYNC: The BCL is made available as an rsync feed consisting of individual IPv4 addresses, one per line. Comments are preceded by a hash symbol (#). This raw data can be taken and applied as appropriate by the subscribing organization.
- An “attributed” version of the rsync feed also is available. This is supplied as above but with extra tab delimited columns. The first of the extra columns gives the name of the bot while the second extra column consists of a base64 encoded free text notes field. This column contains general information pertaining to the IP and may contain source and/or destination ports as well as MD5 checksums of the associated malware.
- BGP: Supplied as a Border Gateway Protocol feed (BGPf), the BCL can be loaded into routers and then used to null route packets whose origin or destination is listed in the BCL. This blocks communication between botnet controllers and any bots on the network.
- DNS Firewall: Using the BCL as a Response Policy Zone prevents any host machine from resolving any domain whose address is contained in the BCL. This interrupts communication between a bot infected machine and its command and control servers. Further, using simple logging procedures, infected machines can be identified for subsequent remediation.