Spamhaus has introduced a new Border Gateway Protocol (BGP) community. This new feed focuses on malware families, such as Emotet, where operators favor using compromised devices to host their botnet command and controllers.  Users will benefit from increased protection against the threat of data loss and encryption by ransomware. Even better news – there is no extra charge for existing users of BGP.  

What’s different about this new BGP community?

If you’re reading this and are a little bemused about how BGP feeds can provide protection, read A beginners guide to BGP. Otherwise, read on.

Spamhaus BGP feed subscribers currently get access to the following three communities:

  1. Spamhaus Don’t Route Or Peer List (DROP)
  2. Spamhaus Extended DROP List (EDROP)
  3. Botnet Controller List (BCL) – Dedicated. IP addresses of servers dedicated to hosting botnet command and controllers (C&Cs).

The new community, Botnet Controller List – Compromised, lists the IP addresses of legitimate devices that threat actors actively abuse to host botnet C&Cs.

Why is it essential to block access to these IP addresses?

Every malware family has its own way of working. Operators of malware, such as the infamous Emotet, prefer to host botnet C&Cs on compromised devices, rather than a dedicated server. There are several reasons for this including:

  1. By communicating directly with compromised devices (IP addresses), threat actors can conveniently bypass existing security defences such as DNS firewalls.
  2. Typically, end-users struggle to locate and clean up their infected equipment. In fact, the majority have no idea that they are #1 compromised, or #2 one of their devices is acting as botnet C&C server.

So, if you’re blocking connections to dedicated botnet C&C IP addresses only, you are still leaving your network open to some of the most dangerous threats out there, such as Emotet and Qakbot

Worried about a rise in the number of false positives?

Firstly, let’s be clear…. Listing an IP address connected to a legitimate device is NOT a false positive. Defenders should be dropping traffic to IP addresses seen hosting a botnet C&C, regardless of whether the entity responsible for the host is aware of the fact. Remember – operators of networks hosting the compromised device are immediately informed by our researchers as soon as an IP address is listed. So the abuse desks at these networks should rapidly work to resolve the situation. Once the issue is remediated, and the botnet C&C becomes inactive, the listing on our BGP feeds will automatically be removed within hours.

Historically the traditional BCL (which only lists IP addresses dedicated to hosting a botnet C&C) follows a zero false positive policy. Understandably, users of this new compromised BCL dataset may be concerned that some legitimate connections may be dropped.

The truth is “yes”; there may be some minor collateral damage. But let’s look at those words “collateral damage”. You have to weigh up your interests, the security interests of your customer(s), and the resilience of your network versus minimal minor inconvenience.

Do you want to accept any traffic from an IP address that is known to be hosting a botnet C&C, enabling threat actors to compromise your users’ data and extort them with ransomware? What is more destructive: a large corporate network being encrypted with ransomware or blocking, in the worst case, a minimal amount of potentially legitimate connections to a single DSL subscriber located on a third-party network?

Furthermore, this new dataset has a much shorter time to live (TTL); our researchers list IPs for a significantly shorter period on this dataset and continually re-validate these entries to verify the botnet C&C is active.

If you’re an ISP reading this, rest assured you won’t be the first to block compromised IPs hosting Botnet C&Cs, at the network edge. Nor will you be the last.

Where is this dataset from?

Spamhaus’ new partnership with abuse.ch has further extended its access to data. The new BCL – Compromised hosts dataset includes data from abuse.ch’s Feodo Tracker, which tracks and validates botnet C&C Infrastructure connected to the current top malware threats, including Emotet, Qakbot, Dridex, and Bumblebee. Incidentally, all of these malware families were listed in the Top 20 in our Botnet Update, Q3 2022.

Consuming this data via Spamhaus gives you access to technical support, a robust service, and quick resolution to any false positives that may arise.

OK – I’m a BGP subscriber; how do I access this data?

As we mentioned, there is no additional cost to access this extra community for current BGP users.

To access the data, log into the Customer Portal and “Contact Us”, requesting access to the new BGPf profile, including the Botnet Controller List – Compromised Hosts.

Border Gateway Protocol Firewall

Border Gateway Protocol (BGP) Firewall provides your users and network with up-to-date protection against botnets and other external attacks.

Set up takes minutes; our data is constantly updated in real time by our experienced researchers on your behalf and can be utilized in your existing firewalls or routers.

  • Prevent data exfiltration
  • Protect your network from botnets
  • Reduce infected machines on your network

What is Border Gateway Protocol (BGP) Firewall? A beginner’s guide

7 December 2022

Blog

Border Gateway Protocol Firewall (BGPF) is an effective and low-cost way to drop traffic to and from the worst of the worst IP addresses. Discover how it works and why it's invaluable to protect your network.

Cost-effective protection against malware like Emotet – Border Gateway Protocol (BGP) Firewall

6 December 2022

Blog

Malware threats such as Emotet and Qakbot are re-emerging. Here’s an effective and economical way to protect against them.