Users of Spamhaus’ Border Gateway Protocol (BGP) feeds – get increased protection against malware

What’s different about this new BGP community?

If you’re reading this and are a little bemused about how BGP feeds can provide protection, read A beginners guide to BGP. Otherwise, read on.

Spamhaus BGP feed subscribers currently get access to the following three communities:

1. Spamhaus Don’t Route Or Peer List (DROP)
2. Spamhaus Extended DROP List (EDROP)
3. Botnet Controller List (BCL) – Dedicated. IP addresses of servers dedicated to hosting botnet command and controllers (C&Cs).

The new community, Botnet Controller List – Compromised, lists the IP addresses of legitimate devices that threat actors actively abuse to host botnet C&Cs.

Why is it essential to block access to these IP addresses?

Every malware family has its own way of working. Operators of malware, such as the infamous Emotet, prefer to host botnet C&Cs on compromised devices, rather than a dedicated server. There are several reasons for this including:

1. By communicating directly with compromised devices (IP addresses), threat actors can conveniently bypass existing security defences such as DNS firewalls.
2. Typically, end-users struggle to locate and clean up their infected equipment. In fact, the majority have no idea that they are #1 compromised, or #2 one of their devices is acting as botnet C&C server.

So, if you’re blocking connections to dedicated botnet C&C IP addresses only, you are still leaving your network open to some of the most dangerous threats out there, such as Emotet and Qakbot

Worried about a rise in the number of false positives?

Firstly, let’s be clear…. Listing an IP address connected to a legitimate device is NOT a false positive. Defenders should be dropping traffic to IP addresses seen hosting a botnet C&C, regardless of whether the entity responsible for the host is aware of the fact. Remember – operators of networks hosting the compromised device are immediately informed by our researchers as soon as an IP address is listed. So the abuse desks at these networks should rapidly work to resolve the situation. Once the issue is remediated, and the botnet C&C becomes inactive, the listing on our BGP feeds will automatically be removed within hours.

Historically the traditional BCL (which only lists IP addresses dedicated to hosting a botnet C&C) follows a zero false positive policy. Understandably, users of this new compromised BCL dataset may be concerned that some legitimate connections may be dropped.

The truth is “yes”; there may be some minor collateral damage. But let’s look at those words “collateral damage”. You have to weigh up your interests, the security interests of your customer(s), and the resilience of your network versus minimal minor inconvenience.

Do you want to accept any traffic from an IP address that is known to be hosting a botnet C&C, enabling threat actors to compromise your users’ data and extort them with ransomware? What is more destructive: a large corporate network being encrypted with ransomware or blocking, in the worst case, a minimal amount of potentially legitimate connections to a single DSL subscriber located on a third-party network?

Furthermore, this new dataset has a much shorter time to live (TTL); our researchers list IPs for a significantly shorter period on this dataset and continually re-validate these entries to verify the botnet C&C is active.

If you’re an ISP reading this, rest assured you won’t be the first to block compromised IPs hosting Botnet C&Cs, at the network edge. Nor will you be the last.

Where is this dataset from?

Spamhaus’ new partnership with abuse.ch has further extended its access to data. The new BCL – Compromised hosts dataset includes data from abuse.ch’s Feodo Tracker, which tracks and validates botnet C&C Infrastructure connected to the current top malware threats, including Emotet, Qakbot, Dridex, and Bumblebee. Incidentally, all of these malware families were listed in the Top 20 in our Botnet Update, Q3 2022.

Consuming this data via Spamhaus gives you access to technical support, a robust service, and quick resolution to any false positives that may arise.

OK – I’m a BGP subscriber; how do I access this data?

As we mentioned, there is no additional cost to access this extra community for current BGP users.

To access the data, log into the Customer Portal and “Contact Us”, requesting access to the new BGPf profile, including the Botnet Controller List – Compromised Hosts.