The Shadowserver Foundation

Dridex / Cridex / Bugat V5 / Feodo Variant D Botnet

On Tuesday October 13th 2015, the UK's National Cyber Crime Unit (part of the National Crime Agency) in conjunction with the FBI and US Department of Justice jointly announced an ongoing operation to take down the Dridex botnet.

The investigation continues and is a joint effort between international law enforcement agencies, such as the NCA, FBI and Europol/EC3, multiple private partners, such as Dell Secureworks, and other government agencies. The announcement coincides with the FBI announcing indictments against a number of foreign nationals believed to be key to the botnet's creation and/or operation.

The Shadowserver Foundation has been supporting this operation by providing operational infrastructure and support, and gathering data on infected clients for the purposes of victim notification and remediation.

The Dridex malware infects Windows computers and uses a hybrid peer-to-peer (P2P) model for command and control. It is primarily a banking trojan designed to harvest the user's login and password details which can then be used to commit fraud on a global scale. To date the criminals behind Dridex are believed to have stolen GBP 20 million in the UK alone. Victims are typically infected when they open an attachment in a spammed email and manually enable macros when prompted. These spam emails may appear to come from legitimate and plausible sources.

Dridex resides in the RAM of running infected Windows computers and only writes itself to the hard drive when a shutdown command is sent. In addition to harvesting passwords and personal information it is also associated with other hidden tools that allow criminals to access and control computers remotely. It also uses a complex network of computers globally (many of which have themselves been hacked) in order to provide management control to the criminal operators. Please see here for a fuller explanation of this malware and how it stores its configuration.

For existing report consumers, the Dridex infections will be tagged as either "dridex-connection" (basic TCP connections from infected computers) or "dridex-data" (decoded/decrypted communications from infected computers) in the Drone report. The source will be listed as "dridex-sinkhole". The "cc" IP addresses listed can be used for detecting outbound network connections from infected victim systems.

You can obtain free nightly reports for your networks by signing up for them here.

Am I Infected, How Do I Stay Safe?

Law Enforcement have worked closely with partners in the anti-virus industry to provide tools to disinfect infected computers, and links to their tools are provided below. In order to maximize the chances of being protected from any malware The Shadowserver Foundation recommends that computer users should:


Online Scanner (Windows Vista, 7 and 8)

Online Scanner (Windows XP)


Stinger (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)


Scanner (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)


Scanner (Windows XP (SP2) and above)

Trend Micro

Scanner (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)


The statistics shown below are the numbers of unique IP Addresses seen connecting to the Dridex infrastructure.

Statistics on historical trends of Dridex infections can be found at:

All devices infected with Dridex

Dridex Infection Map

(Click image to enlarge)

If you would like to see more regions click here

All devices infected with Dridex

Dridex Infection Hilbert

(Click image to enlarge)

The Shadowserver Foundation is a non-profit organization that provides infection notification and remediation information for many types of computer security threats. If you are a hosting provider, internet provider or a CERT with a constituency you can sign up to receive free nightly reports on your networks.

Copyright © 2015 · All Rights Reserved · The Shadowserver Foundation