our most comprehensive view of C2


Full Domain, Hash, and DNS resource records


Near real-time identification


updated every 60 minutes


What is the Controller Feed ?

The Controller Feed contains all of our botnet controller data from the Botnet Analysis and Reporting System (BARS), a unique system that enables visibility into botnets that normally evade monitoring, plus other sources for our most comprehensive view of Command and Control (C2) for IRC-based, HTTP-based, and P2P-based botnets. This feed provides the full URL, malware hash, and DNS resource record of the controllers enabling you to cross reference, monitor, or block connections.

The full Controller Feed XML Schema is available and documented with entries varying based on the type of botnet and the insight we have been able to obtain. All times are UTC.

Our data allows for near real-time identification of botnet command and control (C&C) IP addresses (IRC, http, and P2P) built for DDoS, warez, and underground economy to include bot types, passwords, channels, and our insight.

Contains all confirmed, active botnet, warez, underground economy and other malware distribution command points.

Recipients of this report can use data to automatically filter access to C&C IP addresses, thus preventing client hosts contributing to the purpose of the malware.

The report is updated every 60 minutes with manual reverification of each entry after seven days, and removal of those entries that no longer respond on given IP and port.

Controller Feed Entries Include

  • Multiple IP addresses for a single botnet
  • Domain name and HTTP URL
  • First seen time
  • Last checked time
  • Recent up and down times
  • Family, sub-family and version details
  • Protocol and port
  • Whether currently resolves or active in DNS
  • Confidence value
  • SHA1 and MD5 for malware samples
  • SSL and request type for HTTP C2s
  • Password, channel and key for IRC servers

Frequently Asked Questions

This feed has multiple timestamps for C2 (Command and Control Server) entries including generated, first_seen, first_active, came_up, went_down, last_checked. All follow the same time format in UTC of the form: YYYY-MM-DD HH:MM:SS
In addition to specific URL and DNSRR (DNS Resource Record) information for IRC, HTTP and other non-standard or unique controllers (popular with DDoS botnet families), the feed includes the appropriate SHA1/MD5 malware hashes responsible for infection. This represents a single piece of malware that has been observed to connect to this botnet and helps to trace, triage, and eradicate an internal infection.
The Controller Feed provides the full URL and any known detail, including malware hashes, of the controller. The reputation feed is just the IP.
We pool all the currently known C2 data into this feed from all our different feeds, including HTTP based botnets that we were unable to verify mechanically over the most recent 24 hour period, as they are no longer active for some reason. This serves as a great additional line of defense in the event that these botnets come back online as they occasionally do: there is no delay in reading them; you already have the protection.
As part of the XML schema for this report, each controller and bot has been assigned a “confidence” value, which is a range of 0-100, with 100 being the highest confidence rating. The data in this feed is derived from one or more methods. The confidence value entry depends on the method of collection and analysis. The intention is that partners determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision making capability we prefer to give you a confidence value to assist you. You may decide that some threats are important, and others are not. This score will help you along the way.
IRC-based entries are manually verified every 7 days. HTTP-based entries are mechanically verified every 60 minutes.


Ready for the world's best CONTROLLER FEED?