Feodo (also known as Cridex or Bugat) is a Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or credentials. At the moment, Feodo Tracker is tracking four versions of Feodo, and they are labeled by Feodo Tracker as version Aversion B,version C and version D:

  • Version A: Hosted on compromised webservers running an nginx proxy on port 8080 TCP forwarding all botnet traffic to a tier 2 proxy node. Botnet traffic usually directly hits these hosts on port 8080 TCP without using a domain name.
  • Version B: Hosted on servers rented and operated by cybercriminals for the exclusive purpose of hosting a Feodo botnet controller. Usually taking advantage of a domain name within ccTLD .ru. Botnet traffic usually hits these domain names using port 80 TCP.
  • Version C: Successor of Feodo, completely different code. Hosted on the same botnet infrastructure as Version A (compromised webservers, nginx on port 8080 TCP or port 7779 TCP, no domain names) but using a different URL structure. This Version is also known as Geodo and Emotet.
  • Version D: Successor of Cridex. This version is also known as Dridex
The new malware is built on completely different code than Feodo, but the crypto code used for the botnet C&C communication seems to be almost the same as that one used by Feodo. In addition, Geodo uses the same botnet C&C infrastructure and distribution mechanism as Feodo. More over, the new malware is aimed to commit ebanking fraud – just like Feodo.


In short: Xor.DDoS is a multi-platform, polymorphic malware for Linux OS and its ultimate goal is to DDoS other machines. The name Xor.DDoS stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs (command and control servers).

Malware enters the system using weak root passwords (see here ) or the attackers are brute forcing their way in. Less common possibility, is exploiting a vulnerable service that you have running

This variant copies itself over to /lib/, then creates a copy in /etc/init.d and a symbolic link to /usr/bin. Afterwards a new cron script is created and added to the crontab.

"Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks," Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit, said in a statement. "XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks.

Sign-Up For Threat Alerts!


- Overview Home

Country Filtering

- Company Filtering

- High Risk Ports Filtered

- Spam Reduction & Performance 

- Threat List Performance

- Ports and Risks


Let us show you how PacketViper can immediately improve performance, reduce and identify threats faster, lessen logging and alerting burdens, without replacing anything.  No risk or commitment required!