XOR botnet authors migrate to using BillGates malware
Over the past six months, security researchers from Akamai’s SIRT team have observed a shift in the cyber-criminal underground to using botnets created via the BillGates malware to launch massive 100+ Gbps DDoS attacks.
The BillGates malware is a relatively old malware family aimed at Linux machines running in server environments. Its primary purpose is to infect servers, link them together in a botnet controlled via a central C&C server, which instructs bots to launch DDoS attacks at their targets.
The malware has been around for some years and due to its (irony-filled) name is probably one of the most well-known Linux-targeting malware families.
Former XOR botnet operators reverted to using BillGates
A BillGates botnet is capable of launching Layer 3, 4, and 7 DDoS attacks. More accurately it supports ICMP floods, TCP floods, UDP floods, SYN floods, HTTP floods and DNS reflection floods.
According to Akamai’s Security Intelligence Research Team (SIRT), ever since the XOR DDoS botnet, also Linux-based, has been neutralized a few months back, hacking outfits have switched to the BillGates botnet for their attacks.
While not as powerful as the XOR botnet, which was capable of launching 150+ Gbps attacks, BillGates attacks can go over 100 Gbps when needed.
Moreover, as Akamai noticed, the hacking crew that deployed the XOR botnet has also switched to using BillGates malware, the CDN and cyber-security provider seeing DDoS attacks on the very same targets the XOR botnet crew was previously attacking.
Most BillGates DDoS attacks targeted Asian online gaming servers
DDoS attacks launched with this botnet have were seen targeting Asia-based companies and their digital properties, mostly located in online gaming.
Besides the original XOR crew, the malware has been used to build different botnet by multiple gangs and has even been used as the base for other Linux-based DDoSing malware.
The BillGates malware is available for purchase on underground hacking forums, and it comes in the form of a “malware builder” which allows each crew to generate its own strand, that can run on different C&C servers.
Last June, Akamai observed a similar spike in DDoS attacks coming from botnets built with the BillGates malware.