The Shadowserver Foundation

AAEH/Beebone Botnet

On Thursday April 9th 2015, Europol's Cybercrime Co-ordination Centre (EC3) announced a successful operation to take down the AAEH/Beebone Botnet.

Operation Source” was a joint effort between international law enforcement agencies, such as the FBI and Europol/EC3, plus multiple private partners, and was co-ordinated by EC3's new Joint Cyber Action Taskforce (J-CAT). J-CAT is located at Europol's headquarters and is a cooperation between EC3, most EU Member States and law enforcement partners around the world.

The polymorphic worm known as W32/Worm-AAEH or Beebone facilitates downloading of other malware (including ZBot banking password stealers, Necurs and ZeroAccess rootkits, Cutwail Spambots, Fake anti-virus and ransomware). It includes worm-like functionality to spread quickly to new machines, and contains a cyclic update routine to replace itself with newer versions to increase likelihood of remaining undetected by anti-virus software. For more detailed information see this report by McAfee or US-CERT's information page.

The Shadowserver Foundation participated in Operation Source by providing operational infrastructure and support, and gathering data on infected clients for the purposes of victim notification and remediation.

The AAEH/Beebone botnet take down occurred on Wednesday April 8th 2015, with 100% of the DGA domains being successfully suspended and sinkholed under US court order. For existing Shadowsever report consumers, the AAEH/Beebone infections will be tagged as "aaeh" in the Drone report.

You can obtain free nightly reports for your networks by signing up for them here.

Am I Infected?

Operation Source members have worked closely with partners in the anti-virus industry to provide tools to disinfect infected computers. However, the AAEH/Beebone malware can block connections to known anti-virus vendor sites, so your normal desktop tools may not be updating correctly. Shadowserver has provided local copies of the following partner disinfection tools below, in case you are unable to reach your anti-virus vendor's own website:


Online Scanner (Windows Vista, 7 and 8)

Online Scanner (Windows XP)

F-Secure Rescue CD version 3.16 (ISO, 136 MB) MD5 checksum: 81d3b6a13eb61756b366ba51dfde2766


Stinger (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)

Stinger (EXE) MD5 checksum: 18d37c2c8cd5d6b778ec8a6a308c3d50


Scanner (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)

Scanner (EXE MD5 checksum: 4c904ad0cb0a1950c401bb1d78be719e


Scanner (Windows XP (SP2) and above)

Scanner (EXE MD5 checksum: 1bf943802c906ab5768ef05970f7de93

Trend Micro

Scanner (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

Operation Source

Scanner 32-bit" (EXE) MD5 checksum: 8c322cb94a9e4dc8fefb817c3e55c0f6

Scanner 64-bit" (EXE) MD5 checksum: 577543dc0f38f00bdd1eaeca951c59ef



Scanner (EXE) MD5 checksum: 0de7c31d176f9ddebbb052c654b9806b


The statistics shown below are the numbers of unique IP Addresses seen connecting to the sinkholed AAEH/Beebone Botnet infrastructure.

Statistics on historical trends of AAEH/Beebone infections can be found at:

All devices infected with AAEH/Beebone

AAEH Infection Map

(Click image to enlarge)

If you would like to see more regions click here

All devices infected with AAEH/Beebone

AAEH Infecion Hilbert

(Click image to enlarge)

The Shadowserver Foundation is a non-profit organization that provides infection notification and remediation information for many types of computer security threats. If you are a hosting provider, internet provider or a CERT with a constituency you can sign up to receive free nightly reports on your networks.

Copyright © 2015 · All Rights Reserved · The Shadowserver Foundation