By Bill Brenner, Akamai SIRT Senior Tech Writer
Akamai's Security Intelligence Research Team (SIRT) continues to see the BillGates trojan/bot family of malware being used to launch DDoS attacks. Attackers who control the malware -- first disclosed on a Russian IT website in February 2014 -- can gain full control of infected systems.
Akamai SIRT member Tsvetelin Choranov led the research effort outlined in this advisory.
The attack vectors available within the toolkit include: ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7) and DNS reflection floods. This malware is an update and reuse from the Elknot's malware source code. It's been detected in the wild for a few years now. Over the years the botnets composed of it have grown and today's botnets are launching significantly large attacks.
There is a possibility that after the takedown of Xor botnet, that the malware actors began using different means and/or different botnets to continue their onslaught of attacks directed at the same primary group of targets. This awareness of activity observed by Akamai over the last 6 months has also warranted the release of this advisory.
The botnet targets are similar to previously confirmed Xor botnet activity, most of the organizations are located in the Asia region and are online gaming institutions.
Akamai SIRT observed inactivity from an Xor C2 back in Q4 2015, which was publicly announced by a third party source and believed to be part of a takedown operation. Once that occurred, we believe the attackers started using the Bill Gates BOTNET to launch attacks against the same target list.
This advisory includes a couple of validated DDoS attack campaigns we have mitigated and an example of it being used as one of the source tools in combination with the use of a booter site. We also cover the detection of malware infections, identifying attack patterns from this botnet and how to clean an infected machine.
Not One But Many Botnets
The malware sample is generated by what's called a "Builder" -- a piece of software that creates a variant of the actual Bill Gates malware. This allows anybody to build their own customized version of the malware, with their own C2 they control and start infecting machines thus creating their own BOTNET.
The Bill Gates malware is capable launching Layer ¾ and Layer 7 based DDoS attacks. Bill Gates botnets have grown significantly and are large enough to launch 100 + Gbps of attack traffic independently but are also used in conjunction with other DDoS frameworks.