0

I recently got an email from my ISP saying that they'd detected traffic to a known Command & Control server from my home. Boo. I'm sure this probably means one of our computers has some awful virus so I'm about to begin that laborious process.

Is there a list of all known C&C servers published somewhere that I can just add firewall rules for? Preferably free. I realize this means computers could still get infected and would just lose the ability to communicate but that seems like a much better alternative than being infected and allowing communication (as alluded to in this question). Hopefully, this would at least prevent connection long enough for Anti-Virus, OS, etc. to catch up with their definitions (depending how fresh the list is). Is this even worth it since they're likely pulled down as soon as they're discovered to be hosting malicious services?

Joel B
  • 109
  • 1
  • 3
  • 1
    A frame challenge. Have you considered fixing your computers (erasing and reinstalling from backup)? As an extra thought, your router may be infected, so don't count on any firewall rules. – Deer Hunter Aug 20 '15 at 18:16
  • 1
    malwaredomains.com has a large list that your ISP might have used. – schroeder Aug 20 '15 at 18:23
  • @DeerHunter All great points. Finding a virus is awful and the safest thing to do is just wipe it and start fresh. That solution absolutely breaks down when you consider rootkits, network device firmware compromise, etc. This question isn't really about any of that (which is all awful in it's own right), just asking for a list of crummy servers out there for the specific attack vector of C&C servers. – Joel B Aug 20 '15 at 18:24
  • This question seems similar to this one: [Looking for URL Blacklists of Malicious Websites](Looking for URL Blacklists of Malicious Websites) (yes, the question mentions URL instead of IP, but the answer remains the same as blacklisting site often offer both, so answers are applicable here too). Moreover, this linked question was closed as a product recommendation... – WhiteWinterWolf Aug 21 '15 at 10:19
  • 1
    Sorry, it seems that the link did not went through in my last comment: [Looking for URL Blacklists of Malicious Websites](https://security.stackexchange.com/q/32058/32746)... – WhiteWinterWolf Aug 21 '15 at 12:07
  • Perhaps what you need: https://feodotracker.abuse.ch/blocklist/ – codingoutloud Dec 01 '21 at 21:42

1 Answers1

3

Is there a list of all known C&C servers published somewhere that I can just add firewall rules for?

Unfortunately the operators of such botnets and malware have adapted various strategies to work around such blocks.

A complete and always up-to-date list is not possible because these server change frequently either because they got taken down by law enforcement or before they get blocked by too much firewalls. And apart from that some malware also communicates using peer-to-peer structures and don't need central C&C servers. And then there is malware which just gets its commands from twitter feeds or entries on blogging sites.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434