The Bill Gates/bot family of malware continues to be used to facilitate distributed denial of service (DDoS) attacks, allowing bad actors to seize full control of infected systems, according to a threat advisory from Akamai's Security Intelligence Research Team (SIRT), which ranked the risk factor as “high.”
The researchers noted that the attack vectors in the toolkit of the malware, which was revealed on a Russian website in 2014, include ICMP flood, TCP flood, UDP flood, SYN flood, HTTP Flood (Layer7), and DNS query-of-reflection flood.
“This malware is an update and reuse of the Elknot's malware source code,” the advisory said. “Over the years, the botnets composed of it have grown, and today's botnets are launching significantly large attacks.”
Akamai's SIRT believes the malware, like the XOR botnet, originated in Asia, with attackers “using the same methods for infection, which are primarily SSH brute force attempts for root login credentials.” Previous reports, the researchers said, had the infection methods including an ElasticSearch Java VM vulnerability.
“The botnet targets are the same as the XOR botnet, most of which are hosted in Asia and online gaming institutions,” the advisory noted.
In Q4 2015, Akamai SIRT noted that the XOR C2 had become inactive, presumably as part of a takedown operation. With XOR C2 out of commission, the attackers began to take aim at the same target list, using BillGates Botnet to launch DDoS attacks.
Researchers said that after the malware had decrypted its configuration file, “execution jumps directly to the malware's main functionality, which first checks the value of the g_GatesTypes global variable.” Depending on the value, determined by the filename and path of execution, the malware performs one of four functions.
Once the initial phases have been completed, resulting in the malware being rooted in the system, the malware runs a “multi-threaded” MainProcess function “responsible for opening communication with the C2 server(s), parsing commands, and launching DDoS attacks,” the advisory said.
The most popular payloads observed by the team SYN and DNS Floods.
Attack campaigns, which vary from many to hundreds of Gbps, are aimed at Asia-based organizations, mostly in the gaming and entertainment sector.
While the malware can spoof source addresses from infected machines, Akamai SIRT said more commonly the source in the attacks it observed were infected machines. “This is likely due to an inability to route spoofed traffic from the infected host's network,” the advisory said.