Dridex, Heodo (aka Emotet) and TrickBot botnet command&control servers (C&Cs) reside on compromised servers and servers that have been rent and setup by the botnet herder itself for the sole purpose of botnet hosting. Feodo Tracker offers a blocklist of IP addresses that are associated with such botnet C&Cs that can be used to detect and block botnet C2 traffic from infected machines towards the internet. An IP address will only get added to the blocklist if it responds with a valid botnet C2 response.
Specifically, "IPs Only" list here is used. This list contains botnet IP addresses from the past 30 days. There is a more limited list that has active IPs in the past few hours that we could use instead if desired.
This PR also fixes a typo and removes some lower quality blacklists that were either outdated or had a high false positive rate. These can go in separate pull requests if needed.
The main purpose of this PR is to add https://feodotracker.abuse.ch/blocklist/ as a blacklist source.
Specifically, "IPs Only" list here is used. This list contains botnet IP addresses from the past 30 days. There is a more limited list that has active IPs in the past few hours that we could use instead if desired.
This PR also fixes a typo and removes some lower quality blacklists that were either outdated or had a high false positive rate. These can go in separate pull requests if needed.