Botnet Trend Report-10

Botnet Trend Report-10

agosto 21, 2019 | Mina Hao

4.2 BillGates: Best Cross-Platform Family

In February 2014, a new botnet family was reported by the Russian website, habr5 and named BillGates because of its bill and gates modules. Subsequently the research group, MalwareMustDie reported that botnet family was operated by a Chinese hacker group, closely related with other known families such as ChinaZ and Elknot. This has helped BillGates attract wide attention.BillGates is a cross-platform bot family mainly running on *nix platforms. Within four years after its appearance, the BillGates family has grown to include a series of variants such as Webtoos for Windows and BillGates.lite for infecting embedded devices like ARM.

NSFOCUS research shows that BillGates provides UIs making it easier to use and, thus gaining popularity among hacking organizations.

Since the first attack found related with BillGates, Fuying Laboratory has been tracking this family. In the first quarter of 2018, BillGates was extremely active and conducted multiple campaigns in a short period of time and then suddenly stopped. However, the series of attack campaigns lasted long enough against a wide variety of targets that it makes this botnet family worth analyzing and tracking.

4.2.1 Evolution of the Family

BillGates has two widespread variants: V1 and V2. V1 uses RSA encryption to encrypt configuration files, while V2 uses custom algorithms. These two early variants were the major perpetrators of BillGates attacks during the first quarter of 2018. Samples seen based on other variants, such as the webtools strain, were also captured, but the quantity of their samples were small and their instructions seen were limited in number, indicating that these other variants were incapable of launching really damaging attacks.

We believe that this is due to low compatibility between variants. During the active period of attacks, the number of BillGates samples seen reached a record high in Q1 2018 and then rapidly dwindled to nearly 0 after May.

The code structure of BillGates samples is relatively stable. A vast majority of variants use the same attack code, with few additions. According to the samples that NSFOCUS has on hand, BillGates still uses DDoS attack code written in 2016 and before. V2, other than the code for attacking TCP-based DNS servers, has nothing new compared with V1.


To be continued.