In a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an interesting type of Linux malware.
You can find that particular blog below, in which I give some history, details, remediation and prevention in regards to the specific threat Xor.DDoS poses:
Notes on Linux/Xor.DDoS
This post will include some notes on Linux/BillGates, hereafter referred to as just ‘BillGates’, and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary. In case of questions, comments or feedback, leave a comment or contact me on Twitter.
What is BillGates?
BillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.
However, just as Xor.DDoS, it has limited rootkit and backdoor functionality and thus it’s possible remote commands are executed as well as additional malware downloaded.
|/etc/rcX.d/97DbSecuritySpt||Where X is a number, usually symlinks to /etc/init.d/DbSecuritySpt|
|/home/ll2||Identify all files with random names in /home/|
|/tmp/bill.lock||Identify all .lock files in /tmp/|
|/tmp/bill.lod||Contains Process ID (PID) of malware main module|
|Contains PID of malware main module|
|Contains PID of malware ‘watchdog’|
|/usr/bin/*.lock||Identify all .lock files in /tmp/|
|/usr/bin/bsd-port/getty/*.lock||Identify all .lock files in /usr/bin/bsd-port/getty/|
|/usr/bin/pojie||Identify all files with random names in /usr/bin/|
These modules are usually stored in /etc/, and will have the following names:
It may however be useful to use the find command in conjunction with these names, in case they are residing in a different location than /etc/.
How can I identify other modifications BillGates made?
BillGates does create aliases and/or modifies/replaces files which are typically used to monitor processes or the network. The following may be replaced:
Additionally, check for any potentially created jobs by looking in:
/etc/cron.X where X is a name or folder, for example /etc/cron.daily.
You may also wish to look in:
While the ps command may be replaced, top is not. Run the top command and verify any illegitimate processes, usually they will be randomly named. Alternatively, identify the *.lod and *.lock files, and use cat for example to read them, and identify the PID of the malware.
Then, use kill to end the malicious process(es), and remove the files or artefacts as indicated in the table above.
Afterwards, use mv to move the legitimate files back to their original location. You can also use a file manager to easily move them, if you have one.
You may also use an anti-virus to identify and remove any malicious files, for example ClamAV does a great job – BillGates is a rather older botnet by now and thus most antiviruses should have coverage for it. Don’t forget to update the anti-virus’ signatures first, if needed.
This same explanation but step-by-step to make it easy:
- Identify malicious processes: use top or check the PID in BillGates’ config files;
- Kill malicious processes: use kill -9
- Remove malicious files and folders, see the sections above;
- Replace potentially hijacked files and restore them to their original location, see also above:
- Identify any malicious tasks and delete them as indicated above;
- Run top again to verify there are no malicious processes left;
- Run an anti-virus or anti-malware as a secondary opinion;
- Change your passwords, better be safe than sorry!
LiquidWeb – How to Display (List) All Jobs in Cron / Crontab
MakeUseOf – The 7 Best Free Linux Anti-Virus Programs
MalwareMustDie – ChinaZ made new malware: ELF Linux/BillGates.Lite
Netlab 360 – New Elknot/Billgates Variant with XOR like C2 Configuration Encryption Scheme
ThisIsSecurity – When ELF.BillGates met Windows
ValdikSS (Github) – BillGates botnet tracker
This is a Security Bloggers Network syndicated blog post. Read the original at: Blaze's Security Blog 2017-12-03.