Key Features:
DNS Centric, covering all controllers observed – no victims.
Provides the full URL, malware hash, and DNS resource record.
Includes capabilities for blocking compromised nodes, malicious attachments, and application-level firewalling.
Key Advantages:
Real-time identification of botnet command and control (C2) IP addresses.
Continuous monitoring of inactive nodes and networks.
Offers detailed controller feed entries, including all possible IP addresses, domain name, HTTP URL, first seen time, and confidence score.
Use Cases:
Internet service providers can use the feed to block traffic to known malicious controllers, protecting their customers.
Enterprises can integrate the feed into their intrusion detection systems to enhance their security posture.
Data centers can utilize the feed for proactive security measures, preventing malicious traffic from affecting their operations.
The Most Comprehensive C2 Feed Available…
The Controller Feed contains all of our botnet controller data from the Botnet Analysis and Reporting System (BARS), a unique system that enables visibility into botnets that normally evade monitoring, plus other sources for our most comprehensive view of Command and Control (C2) for IRC-based, HTTP-based, and P2P-based botnets. This feed provides the full URL, malware hash, and DNS resource record of the controllers enabling you to cross reference, monitor, or block connections.
Feed Details…
-
Near-real-time identification of botnet command and control (C&C) IP addresses (IRC, http, and P2P) built for DDoS, warez, and underground economy to include bot types, passwords, channels, and our insight.
-
Contains all confirmed, active botnet, warez, underground economy and other malware distribution command points.
-
Use this data to automatically block access to C&C IP addresses.
-
The report is updated every 60 minutes.
Controller Feed Entries Include
-
Multiple IP addresses for a single botnet
-
Domain name and HTTP URL
-
First seen time
-
Last checked time
-
Recent up and down times
-
Family, sub-family and version details
-
Protocol and port
-
Whether currently resolves or active in DNS
-
Confidence value
-
SHA1 and MD5 for malware samples
-
SSL and request type for HTTP C2s
-
Password, channel and key for IRC servers
-
How do I use the reputation feed?This is designed to be a near-real-time feed to allow subscribers to monitor for infected computers visiting their networks. Subscribers can utilize the IP Reputation Feed to identify compromised hosts as they access their networks, thus enabling them to monitor or block these infected hosts before they can cause any damage. Combine the other categories we include and you have the most complete list possible. Possible uses include: Banks checking for infected customers at sign-on Companies pro-actively monitoring for exfiltration of data via bots ISPs checking for infected customers and other abuse Vendors importing data for enterprise appliances
-
Where do you get the data?This information is gathered through a number of methods, including malware analysis, observation of botnet command and control (C&C) botnets that we have uniquely decoded, and monitoring of dark IP space (darknets).
-
What is the ‘REPUTATION_SCORE’ entry?As part of the XML file for this report, each IP has been assigned a “reputation” value derived from various methods. The key used to calculate this value is included in the feed. The intention is that clients determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision-making capability, we prefer to give you a reputation value to assist you. You may decide that some threats are important, and others are not. This value will help you along the way.