Security Researcher Warns High Risk Linux Malware Targets To Build DDos Attack.
Over the last six months, the Akamai's SIRT security researchers team have noticed a move in the cyber-criminal underground to using botnets which are created via the BillGates malware for launching gigantic 100+ Gbps DDoS attacks.
The BillGates malware is pretty old malware family that is used to intended at the Linux machines which are running in server environments. Its main purpose is to contaminate the servers and link them together in a botnet controlled through a central C&C server, which initiates bots to starts the DDoS attacks at their goals.
The malware has been about for some years and because of its name, probably it is one of the most well-known Linux-targeting malware families.
Former XOR botnet operators reverted to using BillGates. There is a capability of launching Layer 3, 4, and 7 DDoS attacks in a BillGates botnet. More exactly, it supports ICMP floods, TCP floods, UDP floods, SYN floods, HTTP floods and DNS reflection floods.
According to ASIRT (Akamai's Security Intelligence Research Team), ever since the XOR DDoS botnet is also Linux-based that has been defused a few months back as well as the outfits of hacking outfits exchanged to the BillGates botnet for their attacks.
Whereas it is not as powerful as the XOR botnet that was capable of launching 150+ Gbps attacks and when needed then BillGates attacks can go over 100 Gbps.
Furthermore, as Akamai observed that the hacker’s gang that organized the XOR botnet that has also exchanged with the using BillGates malware, the cyber-security provider as well as the CDN seeing DDoS attacks on the very same targets the XOR botnet crew was previously attacking.
Most of the BillGates DDoS attacks always targeted to the Asian online gaming servers.
DDoS attacks initiated with this botnet which has were seen targeting to the Asia-based companies and their digital properties that are mostly located in online gaming.
Further the original XOR group, the malware has been used to create the different botnet by multiple crews and has been used as the base for other Linux-based DDoS attacks malware.
The BillGates malware is available for purchase on underground hacking assemblies and it approaches in the form of a "malware builder" which permits each group to produce its own thread, that can run on different C&C servers.
Whereas last June, Akamai noticed a related prickle in DDoS attacks that is coming from botnets construct with the BillGates malware.
Though, in February of this year, IBM managed Security Services noticed an increment in security events which is connected with this botnet over the distance of three days.
Consequently the traffic collapse and stay fixed until early May. Since May 6, though, the team has noticed a noteworthy increase in traffic that has remained prominent.
Currently, most of this traffic are delegated of the BillGates botnet that is used to attempting to perform DNS Distributed Denial-of-Service (DDoS) attacks with packet counterfeit.
Whereas the threat actors behind the BillGates botnet are not known. In May 2015, the destination IP-connected with the majority of the noticed traffic is 220.127.116.11.
The origin country of this IP is China that has been establishing to be linked with the BillGates botnet. Similarly in February of this year, the majority of the traffic noticed was also associated with another IP in China, 18.104.22.168.