Tag Archives: sinkholes

Consolidated Malware Sinkhole List

Posted on by

A common practice of researchers studying a piece of malware is to seize control of its malicious command and control domains, then redirect traffic to them to benign research servers for analysis and victim notification. I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I’ve found no comprehensive public list of these sinkholes. There have been some previous efforts to compile a list, for instance by reverse engineering Emerging Threats Signatures (mikesxrs – I hope this answers your questions, a little late!). Some sinkholes are documented on the vendors’ sites, while others are clearly labeled in whois data, but undocumented. Still others are only detectable through behavior and hearsay.

Below, I share my personal list of publicly-noted sinkholes only. Please understand that with few exceptions I have not received any of this information from the vendors or organizations mentioned. It is possible there is some misattribution, and addresses in use do change over time. This is merely intended as a helpful aid for threat hunting, and there are no guarantees whatsoever.

Before we proceed, credit where credit is due:

I am certainly not claiming credit for this entire list. There are many smart people out there who provided partial data and clues.

http://www.kleissner.org/ maintains fantastically useful lists of command and control servers for numerous botnets. Within those lists, a number of sinkholes are attributed to specific organizations, some of which I could and could not independently verify.

The extremely talented Miroslav Stampar has quite a few sinkholes identified within his maltrail malicious traffic detection tool.

Many, many Robtex, DomainTools, and VirusTotal queries and a lot of Google search hacking went into compiling and cross-checking this list. Michael B. Jacobs has written a terrific paper  which covers some of the methodologies I used to detect and confirm undocumented sinkhole servers through DNS and behavioral analysis.

There are more detailed databases of sinkholes, but they tend to be access-restricted and contain data I will not repost for confidentiality reasons. My list is fully OSINT-based and can be reproduced with time and effort.

Here’s the current list:

If you have any corrections to offer either as one of these organizations or an independent researcher, please contact me and I will give credit in this blog accordingly.