BillGates – The Botnet That Spares Windows Machines

Gone are the days when Linux machPenguin-ID11834-640x427ines had that reputation of being immune to malware. Today, Linux systems, like their Windows counterparts, can even be ensnared into botnets that launch highly disruptive DDoS attacks. One such botnet family has been gaining considerable attention of late, largely in part because of its name – BillGates.

Much to the chagrin of Linux zealots, the BillGates malware is designed to infect only Linux machines. BillGates, which is based on the Elknot’s malware source code, is believed to be aimed at the same targets as XOR DDoS, a trojan that gained notoriety in 2015 but was eventually subject to a takedown by the authorities.

Like XOR DDoS, BillGates infects Linux systems and then allows attackers to control the infected machines through one or more C2 (command-and-control) servers. In most cases, the zombie computers are directed to conduct DDoS attacks. This particular toolkit supports a variety of attack vectors, including: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7), and DNS query-of-reflection flood.


How BillGates infects and attacks

Unlike most botnet malware, BillGates doesn’t use phishing to infect. Instead, its attackers carry out brute force attacks on Linux SSH services in order to acquire root login credentials. Once they’ve acquired the passwords and gained access, the attackers then execute a bash script that would in turn download and run the malware on the compromised machine.

As soon as the malware is installed, it then performs a handful of functions that include the following:

  • Carry out persistence mechanisms. This is to ensure that it’s able to infect the host for as long as it needs to;
  • Replace system tools with corrupted versions. BillGates replaces tools like /bin/netstat, /bin/lsof, /bin/ps, and others that may be used for checking the integrity of the system. If, for example, /bin/ps is replaced, you won’t be able to view the actual processes running on your system.
  • Check its own health and integrity. If it discovers that something’s amiss, BillGates re-executes the main program and re-infects the host.
  • Contacts its C2 and executes commands. Once everything is in place, the malware communicates with its C2 server, receives commands from the server, and then executes the commands, which range from launching DDoS attacks to executing shell commands.

Like many nefarious kits these days, BillGates comes with a “builder” which allows just about anyone to create their own version of the malware. Thus, several botnets running their own variations of BillGates could be attacking their own separate targets around the globe as we speak.

More details can be found in Akamai’s threat advisory


Countering botnets

Because botnets pose such a serious threat to business, it’s important to prevent, detect, and act on botnet infections. We can help you in that regard. Our deep understanding of botnets has enabled us to assist businesses in countering some of the deadliest botnets ever. Please visit us online for more details and to register for a free online session.

Mariposa Botnet: Iserdo on Trial

Slovenia (Photo credit: phault)
Slovenia is more than a beautiful European country. Surrounded by Austria, Hungary, Croatia
and Italy, it offers a fascinating history, from their celebrated wines and prehistoric caves to their majestic castles. They have a strong showing at the London Olympic Games too, receiving four Olympic medals to date: one gold, one silver and two bronze. (They have the best per capita medal of the 59 countries that have medals.)
Not everything coming from Slovenia however is a source of pride. On August 7th, the trial began for malware kit author Matjaž Škorjanc, 26, AKA Iserdo. Iserdo is being tried as the purported ‘mastermind’ behind the Mariposa botnet.
The Mariposa botnet is famous for its widespread reach into more
than half of the Fortune 1,000 companies and more than 40 major banks. Its main focus being information theft, the Mariposa botnet was used to steal PII and various login credentials from its victims. Spanish police arrested three men in 2010 who were believed to be running the botnet. Iserdo, now on trial, was connected as the author of the original malware used as the foundation for Mariposa.
Robert Swan Mueller III (born August 7, 1944) ...
Robert Swan Mueller III (born August 7, 1944) – Director of the United States Federal Bureau of Investigation (Photo credit: Wikipedia)

FBI director, Robert S. Mueller III as quoted in the Inquirer,

 “In the last two years, the
software used to create the Mariposa botnet was sold to hundreds of other
criminals, making it one of the most notorious in the world. These cyber
intrusions, thefts, and frauds undermine the integrity of the Internet and the
businesses that rely on it; they also threaten the privacy and the pocketbooks
of all who use the Internet.”
Defence Intelligence, due to its direct involvement with Mariposa, will be closely watching the outcome of the trial, but these kinds of legal proceedings are important to the security community as a whole.  Progress is being made worldwide in regards to punishing those behind malware and botnets, but conviction is often based on very specific or very vague laws.

Georgy Avanesov, the author of the Bredolab malware, received a four year sentence in Armenian courts only three months ago. His sentencing was based on the use of the malware for DDoS attacks. His charges for creating and distributing the malware however, as well as using it for data theft, were dropped.

Just last month three men in Britain were sentenced to multiple years in prison for violating the British Computer Misuse Act of 1990. They were using SpyEye malware to steal banking credentials from compromised users.

Let’s hope Slovenian law is able to encompass Iserdo’s deeds and find a proper sentencing. I know little of Slovenia’s cybercrime laws, but considering Iserdo only wrote the initial malware, conviction may not be imminent. 

For more details
on the identification and dismantling the Mariposa botnet visit:
Enhanced by Zemanta

Cloudy Skies

Before the StormImage by premasagar via Flickr

Storm talk is thundering across the security blog horizon. Despite the consensus that this spam monster is indeed a Storm relative, there is some argument over just how NEW this new Storm is.

Several people have taken a look at the spam spewing samples, digging into the malware’s functionality as well as its communication, and the templates used for generating the various spam emails. They have found major similarities between several aspects of the new and old Storm fronts, including filename usage and user-agent typos (Windoss instead of Windows), but the more recent version has excluded the peer to peer portion of the code.

Atif Mushtaq at FireEye writes that these are all details he observed on a Storm variant back in 2008. So is this old news? Nothing about what is being called Pecoan (another name in the long list: Nuwar, Peacomm, Zhelatin, Dorf) is really more sophisticated than its predecessor and the samples I ran only connected with one static IP, so I don’t think this Storm will be as violent as the last. The creators of the original Storm have had enough time to code a better botnet so perhaps this is just a rediscovery of a forgotten remnant.

Right now compromised systems are sending out online pharmacy, adult dating, and nude celebrity emails. The template design allows for a wide array of sender names, subjects, message content, and destination URLs. The malware harvests email addresses from the victim machines and sends Base64 encoded POSTS to pass information and report in to its C&C.

As always, be cautious while online and when in doubt, don’t click.

Matt Sully
Threat Research & Analysis

Reblog this post [with Zemanta]

Lightning Crashes

statistical chart from

Zeus is undoubtedly one of the most prevalent malware being used for web based criminal activity. It has compromised thousands of systems and, though an exact count is unknown, an example like the Kneber/Zeus botnet reported by Netwitness showed that one collection of infected computers consisted of “75,000 systems in 2,500 organizations around the world.” There have certainly been larger botnets concentrated on data theft, but with fluxing configurations, binaries and the domains used for hosting, the array of zeus botnets have remained both widespread and dangerous. Then, on March 9th 2010, Zeus took a big hit to its infrastructure., who runs the ZeusTracker project, reported a significant drop in the active number of Zeus command and control servers, falling from 249 to 181 overnight. What they discovered was that the ISP Troyak (AS50215), and its dependent networks, had essentially been taken offline. These networks had been considered bulletproof hosting for Zeus domains, which means the hosting groups involved were believed to actively protect the malicious activity, ignore requests for ending it, or otherwise assumed by its users to be a safe zone for malicious domains.

While disconnecting thousands of compromised systems from their C&C domains is a great win, though likely a temporary one, no one knows who to congratulate. Security researchers assume it was an external takedown, but no one has stepped forward to be recognized. What is even more interesting, as mentioned by Brian Krebs, is that, 11 days prior to the Troyak switch-off, spam promoting Zeus also went into decline. On February 27th, as stated in Kreb’s blog, a large Zeus spamming gang stopped sending new spam.

For now we’ll just have to wonder who is behind this mysterious crusade against Zeus. It seems unlikely that it was the work of any security group or company as it is generally in our favor to promote such efforts. Perhaps a rival gang was involved and the “Zeus killer” feature in SpyEye wasn’t enough for them, or maybe somebody just thought to quit while they were ahead. That would be a novel idea.

Matt Sully
Threat Research & Analysis

Moments after posting this, Troyak found a new upstream provider and got back online. They have since moved to yet another provider, trying to evade a second disruption of “services.” Some would say they’re on the run.

Related articles by Zemanta

Reblog this post [with Zemanta]