Akamai: Strength of ‘BillGates’ botnet of Linux machines is increasing

A botnet consisting of Linux systems infected with so-called BillGates malware is on the rise, Akamai claims based on research. The botnet is said to have been used for ddos ​​attacks and has gained momentum after previous actions against the XOR botnet.

Akamai labels the BillGates botnet “high risk factor” in his security advisory from the Security Intelligence Research Team. According to Akamai, the malware used for the botnet was first discovered in 2014 by a Russian IT site and the malware builds on the source code of the Elknot malware. The origin is said to be in Asia and the botnet also aims to shut down Asian game companies in particular with its DDOs attacks, the report says.

The attacks bear similarities to those of the XOR botnet, which previously targeted Asian companies but was dismantled last year. There is a chance that XOR’s administrators have picked up the thread again with the BillGates network, Akamai suspects.

The malware originates from a builder, with which malicious parties can create their own variants of BillGates. The resulting toolkit can perform ddos ​​attacks, open ports and take over an entire system. At the end of 2015, the research team detected an attack with a total distributed bandwidth of 308Gbit/s. The BillGates malware, like XOR, does not infect Linux systems directly through vulnerabilities, but by searching the Internet for minimally secure ssh servers and bruteforce discovering passwords.

As is often the case with security investigations, the outcome cannot be separated from the commercial interest of the investigating party, in this case Akamai provides services to protect against DDO attacks.