Gone are the days when Linux machines had that reputation of being immune to malware. Today, Linux systems, like their Windows counterparts, can even be ensnared into botnets that launch highly disruptive DDoS attacks. One such botnet family has been gaining considerable attention of late, largely in part because of its name – BillGates.
Much to the chagrin of Linux zealots, the BillGates malware is designed to infect only Linux machines. BillGates, which is based on the Elknot’s malware source code, is believed to be aimed at the same targets as XOR DDoS, a trojan that gained notoriety in 2015 but was eventually subject to a takedown by the authorities.
Like XOR DDoS, BillGates infects Linux systems and then allows attackers to control the infected machines through one or more C2 (command-and-control) servers. In most cases, the zombie computers are directed to conduct DDoS attacks. This particular toolkit supports a variety of attack vectors, including: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7), and DNS query-of-reflection flood.
How BillGates infects and attacks
Unlike most botnet malware, BillGates doesn’t use phishing to infect. Instead, its attackers carry out brute force attacks on Linux SSH services in order to acquire root login credentials. Once they’ve acquired the passwords and gained access, the attackers then execute a bash script that would in turn download and run the malware on the compromised machine.
As soon as the malware is installed, it then performs a handful of functions that include the following:
- Carry out persistence mechanisms. This is to ensure that it’s able to infect the host for as long as it needs to;
- Replace system tools with corrupted versions. BillGates replaces tools like /bin/netstat, /bin/lsof, /bin/ps, and others that may be used for checking the integrity of the system. If, for example, /bin/ps is replaced, you won’t be able to view the actual processes running on your system.
- Check its own health and integrity. If it discovers that something’s amiss, BillGates re-executes the main program and re-infects the host.
- Contacts its C2 and executes commands. Once everything is in place, the malware communicates with its C2 server, receives commands from the server, and then executes the commands, which range from launching DDoS attacks to executing shell commands.
Like many nefarious kits these days, BillGates comes with a “builder” which allows just about anyone to create their own version of the malware. Thus, several botnets running their own variations of BillGates could be attacking their own separate targets around the globe as we speak.
More details can be found in Akamai’s threat advisory
Because botnets pose such a serious threat to business, it’s important to prevent, detect, and act on botnet infections. We can help you in that regard. Our deep understanding of botnets has enabled us to assist businesses in countering some of the deadliest botnets ever. Please visit us online for more details and to register for a free online session.