Controller Feed (C2) Insight into 3000+ active botnet C2 IPs, across all known protocols. Near-real-time identification. Full domain, hash and DNS resource records. Updated every 60 minutes.

The Most Comprehensive C2 Feed Available…

The Controller Feed contains all of our botnet controller data from the Botnet Analysis and Reporting System (BARS), a unique system that enables visibility into botnets that normally evade monitoring, plus other sources for our most comprehensive view of Command and Control (C2) for IRC-based, HTTP-based, and P2P-based botnets. This feed provides the full URL, malware hash, and DNS resource record of the controllers enabling you to cross reference, monitor, or block connections.

Feed Details…

  • Near-real-time identification of botnet command and control (C&C) IP addresses (IRC, http, and P2P) built for DDoS, warez, and underground economy to include bot types, passwords, channels, and our insight.
  • Contains all confirmed, active botnet, warez, underground economy and other malware distribution command points.
  • Use this data to automatically block access to C&C IP addresses.
  • The report is updated every 60 minutes.

Controller Feed Entries Include

  • Multiple IP addresses for a single botnet
  • Domain name and HTTP URL
  • First seen time
  • Last checked time
  • Recent up and down times
  • Family, sub-family and version details
  • Protocol and port
  • Whether currently resolves or active in DNS
  • Confidence value
  • SHA1 and MD5 for malware samples
  • SSL and request type for HTTP C2s
  • Password, channel and key for IRC servers

Get Started

Frequently asked questions

What about the malware?

In addition to specific URL and DNSRR (DNS Resource Record) information for IRC, HTTP and other non-standard or unique controllers (popular with DDoS botnet families), the feed includes the appropriate SHA1/MD5 malware hashes responsible for infection. This represents a single piece of malware that has been observed to connect to this botnet and helps to trace, triage, and eradicate an internal infection.

What do I get with the controller feed that I don’t get with the reputation feed?

The Controller Feed provides the full URL and any known detail, including malware hashes, of the controller. The reputation feed is just the IP.

What is an ‘INACTIVE’ entry?

We pool all the currently known C2 data into this feed from all our different feeds, including HTTP based botnets that we were unable to verify mechanically over the most recent 24 hour period, as they are no longer active for some reason. This serves as a great additional line of defense in the event that these botnets come back online as they occasionally do: there is no delay in reading them; you already have the protection.

What is the ‘CONFIDENCE’ entry?

As part of the XML schema for this report, each controller and bot has been assigned a “confidence” value, which is a range of 0-100, with 100 being the highest confidence rating. The data in this feed is derived from one or more methods. The confidence value entry depends on the method of collection and analysis. The intention is that partners determine what issues are most important to them and adapt their policy accordingly. At Team Cymru, we understand that no one can make that determination for you better than you. To facilitate that decision making capability we prefer to give you a confidence value to assist you. You may decide that some threats are important, and others are not. This score will help you along the way.