Blocklist
Feodo Tracker offers various blocklist in different formats for different purposes. The blacklists are documented below.
Botnet C2 IP Blocklist
Dridex and Emotet/Heodo botnet command&control servers (C&Cs) reside on a compromised server or a server that has been rent and setup by the botnet herder itself for the sole purpose of botnet hosting. Feodo Tracker offers a blocklist of IP addresses that are associated with such botnet C&Cs which can be used to detect and block botnet C2 traffic from infected machines towards the internet, leaving your network. An IP address will only get added to the blocklist if it responds with a valid botnet C2 response. However, a botnet C2 may become offline later. The Botnet C2 IP Blocklist is available in different formats documented below.
The Botnet C2 IP Blocklist gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
The CSV is useful if you want to process the IP blocklist further, e.g. loading them into your SIEM. The CSV contains the following values:
- Firstseen
- Destination IP (DstIP)
- Destination Port (DstPort)
- Last online (date)
- Malware family
Note
As IP addresses are getting recycled and reused, this blocklist only botnet C2s that are either active or that have been last seen in the past 30 days. The false positive rate for this blocklist should therefore be low.
In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs tracked by Feodo Tracker as a list of Indicator Of Compromise (IOC).
If you want to fetch a comprehensive list of all botnet C2s Feodo Tracker has ever seen (and no matter if they have ever been seen being active/online or not), please use the CSV provided below.
Caution!
I strongly recommend you to not use the aggressive version of the Botnet C2 IP blocklist as it definitely will cause false positives. If you want to reduce the amount of false positives, use the blacklist above this box. If you want to get maximum protection and don't care about false positives, use the blacklist below this box (not recommended).
In addition, there is an IPs only list available for download below. This is handy if you want to use botnet C&Cs tracked by Feodo Tracker as a list of Indicator Of Compromise (IOC).
Suricata Botnet C2 IP Ruleset
The Suricata Botnet C2 IP Ruleset contains Dridex and Emotet/Heodo botnet command&control servers (C&Cs) tracked by Feodo Tracker and can be used for both, Suricata and Snort open source IDS/IPS. If you are running Suricata or Snort, you can use this ruleset to detect and/or block network connections towards hostline servers (IP address:port combination).
The Suricata Botnet C2 IP Ruleset gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
Note
As IP addresses are getting recycled and reused, this blocklist only botnet C2s that are either active or that have been last seen in the past 30 days. The false positive rate for this blocklist should therefore be low.
Download IDS Ruleset (Suricata and Snort)
Download IDS Ruleset (Suricata and Snort) - tar.gz
If you want to fetch a comprehensive list of all botnet C2s Feodo Tracker has ever seen (and no matter if they have ever been seen being active/online or not), please use the CSV provided below.
Caution!
I strongly recommend you to not use the aggressive ruleset of the Botnet C2 IP list as it definitely will cause false positives. If you want to reduce the amount of false positives, use the ruleset above this box. If you want to get maximum protection and don't care about false positives, use the ruleset below this box (not recommended).
Malware Hashes
Feodo Tracker publishes a list of hashes (MD5) associated with Dridex and Emotet/Heodo malware samples.
The list of Malware Hashes gets generated every 5 minutes. Please do not fetch it more often than every 5 minutes.
The CSV is useful if you want to process these malware hashes further, e.g. loading them into your SIEM. The CSV contains the following values:
- Firstseen
- MD5 hash
- Malware family
In addition, there is an hashes only list available for download below. This is handy if you want to use these hashes as a list of Indicator Of Compromise (IOC) and e.g. watch out for those or block them on your network perimeter (such as mail gateway or firewall) or on your client machines.
Terms of Services (ToS)
By using the website of Feodo Tracker, or any of the services / datasets referenced above, you agree that:
- All datasets offered by Feodo Tracker can be used for both, commercial and non-commercial purpose without any limitations (CC0)
- Any data offered by Feodo Tracker is served as it is on best effort
- abuse.ch can not be held liable for any false positive or damage caused by the use of the website or the datasets offered above
Vendor note - your help is needed
abuse.ch is a non-profit project which relies on donations in order to continue to operate. If you are a vendor and you would like to integrate data from abuse.ch into your products (or for the purpose of reselling it), you are free to do so (CC0). However, I kindly ask you to consider to support abuse.ch with a donation (e.g. in form of a hosting plan). If you want to do so, I would be very happy to get a note from you at coSntacPtAmeM@abuse.ch (remove all capital letters).