Malware threats such as Emotet and Qakbot are re-emerging, hitting global corporations hard. You only have to look to Spamhaus' Monthly Malware Digest to see the growing prevalence of these malware families. But what do these threats have in common? Besides the fact that they both act as Initial Access Brokers, the operators of these botnets favor using compromised devices to host their botnet command and controllers (C&Cs) rather than dedicated servers. These malware infections can ultimately lead to data exfiltration and encryption with ransomware. A fate no cyber-security specialist or network administrator wants to deal with. Here’s an effective and economical way to protect against them.

Apply threat intelligence data at your network edge

Organizations and network operators can peer with BGP feeds using existing equipment, meaning there is no additional capital expense to infrastructure costs, making this a cost-effective solution. Even if you don’t own an ASN, Spamhaus supports the use of private ASNs to establish sessions with our BGP Feeds.

You can apply this threat intelligence to any router or modern-day firewalls like CISCO, Sophos, or Fortinet. These feeds are lists of IP addresses that effectively stop malicious traffic from compromised devices within your network perimeter communicating with external botnet C&C servers. Blocking this traffic at the network level prevents spam campaigns, loss of data, and encryption. Read The Beginner’s Guide to BGP to better understand how these communities/feeds work.

We’ve released a new BGP community to protect against the likes of Emotet

Until recently, Spamhaus has provided BGP feed subscribers with access to the following three BGP communities to use with firewalls or routing equipment, blocking malicious traffic:

  • Don’t Route Or Peer (DROP). This is a “drop all traffic” list, consisting of the worst of the worse IP space that is either hijacked or leased by cybercriminals. The netblocks listed here are directly allocated by established Internet registries, e.g., Regional Internet Registry (RIR)
  • Extended Don’t Route Or Peer (EDROP). This is an extension of the DROP dataset but includes sub-allocated netblocks.
  • Botnet Controller List (BCL) – Dedicated. IP addresses used to host a botnet C&C server, controlled by the threat actors to control infected devices. This list only includes IP addresses operated with malicious intent, i.e., operated by cybercriminals with the sole purpose of hosting a botnet C&C.

To protect against threats such as Emotet and Qakbot, we now have a fourth: Botnet Controller List (BCL) – Compromised.

How does this feed protect against Emotet and Quakbot (among others)?

Most threat actors host their botnet C&C infrastructure on dedicated hosts, which serve no other purpose than controlling botnets. Through our BCL – Dedicated feed, we provide protection against this infrastructure.

Currently, however, some of the most dangerous and dominant threats (such as Emotet and Qakbot) rely on compromised devices, usually on residential internet lines, to host their botnet C&C infrastructure. Additionally, operators of these botnets rely entirely on direct IP communication, not using any domain names. This means they bypass existing security mechanisms, such as DNS Firewalls (Response Policy Zones).

This newly introduced BGP feed BCL – Compromised closes this gap in your security defense, protecting against malicious traffic to compromised hosts acting as botnet C&C servers.

What’s the connection with abuse.ch?

Recently, we became a partner with abuse.ch, and one of their platforms, Feodo Tracker, tracks and validates botnet C&C infrastructure connected to the top malware threats. It provides reliable, validated data on botnet C&C infrastructure used by the likes of Emotet and Qakbot. Spamhaus has expanded its existing BCL datasets and made this dataset available via our BGP feeds, increasing protection for our users.

Consumers of this data via Spamhaus get access to technical support, a robust service, and quick resolutions to any perceived false positives that may arise.

Let’s discuss the words “perceived false positives.”

Any ISP, or anyone in charge of protecting their network, will doubtlessly become twitchy at the mere mention of “false positives”. The three original communities in our BGP feeds have zero false positive rates. BUT please note the word “perceived”. If any IP address hosts a botnet C&C, you should block traffic between your network and this IP address. It is irrelevant if a legitimate device is hosted on that IP. This doesn’t make it a false positive. It makes your network safer for dropping traffic from it!

Consider the following two scenarios, and ask yourself, “Which would I prefer to be dealing with?”

  • A miscreant encrypting a large corporation with ransomware,
    Or
  • Blocking one connection to (as an example) a single DSL subscriber in a third-party network, which is hosting a botnet C&C?

Isn’t it a no-brainer?

It’s also worth noting if you are concerned about perceived false positives, IP addresses placed on the BCL – Compromised have a much shorter listing time, and our research team consistently revalidates them to ensure the botnet C&C is still active, continuing to pose a threat to your network and your customers.

Want to trial this data?

If you’re interested in seeing how this data performs in your network environment, you can trial the data for free for 30 days. If you’re already using the Spamhaus BGP feeds for network edge protection, you can get access to this additional community for free, log into the Customer Portal and contact us, so we can update your profile.

Related Products

Border Gateway Protocol Firewall

Border Gateway Protocol (BGP) Firewall provides your users and network with up-to-date protection against botnets and other external attacks.

Set up takes minutes; our data is constantly updated in real time by our experienced researchers on your behalf and can be utilized in your existing firewalls or routers.

  • Prevent data exfiltration
  • Protect your network from botnets
  • Reduce infected machines on your network

Resources

Lifting the lid on a long-time operating Brazilian malware gang

6 May 2023

News

For over 8 years, our researchers have been tracking an operation that targets Brazilian internet users, and is focused on stealing their banking credentials, withdrawing funds from its victim’s accounts. Here’s a potted history.

A surge of malvertising across Google Ads is distributing dangerous malware

2 February 2023

News

Recently, researchers have witnessed a massive spike affecting famous brands, with multiple malware being utilized. This is not “the norm”. Here’s what researchers are observing and a theory on this tsunami of abuse.

What is Border Gateway Protocol (BGP) Firewall? A beginner’s guide

7 December 2022

Blog

Border Gateway Protocol Firewall (BGPF) is an effective and low-cost way to drop traffic to and from the worst of the worst IP addresses. Discover how it works and why it's invaluable to protect your network.