SYMBOLCOMMON_NAMEaka. SYNONYMS
win.billgates (Back to overview)

BillGates


BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.

BillGates is available for *nix-based systems as well as for Windows.

On Windows, the (Bill)Gates installer typically contains the various modules as linked resources.

References
2022-03-02Bleeping ComputerBill Toulas
@online{toulas:20220302:log4shell:fa4dfeb, author = {Bill Toulas}, title = {{Log4shell exploits now used mostly for DDoS botnets, cryptominers}}, date = {2022-03-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptominers/}, language = {English}, urldate = {2022-03-07} } Log4shell exploits now used mostly for DDoS botnets, cryptominers
Kinsing Tsunami BillGates
2021-10-22FortinetCara Lin
@online{lin:20211022:recent:248c7d4, author = {Cara Lin}, title = {{Recent Attack Uses Vulnerability on Confluence Server}}, date = {2021-10-22}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/recent-attack-uses-vulnerability-on-confluence-server}, language = {English}, urldate = {2021-10-26} } Recent Attack Uses Vulnerability on Confluence Server
Tsunami BillGates
2017-12-03Blaze's Security BlogBartBlaze
@online{bartblaze:20171203:notes:53a752f, author = {BartBlaze}, title = {{Notes on Linux/BillGates}}, date = {2017-12-03}, organization = {Blaze's Security Blog}, url = {https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html}, language = {English}, urldate = {2020-01-13} } Notes on Linux/BillGates
BillGates
2016-04-04AkamaiAkamai
@techreport{akamai:20160404:threat:14239df, author = {Akamai}, title = {{Threat Advisory: “BillGates” Botnet}}, date = {2016-04-04}, institution = {Akamai}, url = {https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf}, language = {English}, urldate = {2020-01-07} } Threat Advisory: “BillGates” Botnet
BillGates
2015-09-30ThisIsSecurityBenoît Ancel
@online{ancel:20150930:when:ed6915f, author = {Benoît Ancel}, title = {{When ELF.BillGates met Windows}}, date = {2015-09-30}, organization = {ThisIsSecurity}, url = {https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/}, language = {English}, urldate = {2020-01-13} } When ELF.BillGates met Windows
BillGates
2014-07-10Kaspersky LabsMikhail Kuzin
@online{kuzin:20140710:versatile:0c64d25, author = {Mikhail Kuzin}, title = {{Versatile DDoS Trojan for Linux}}, date = {2014-07-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/versatile-ddos-trojan-for-linux/64361/}, language = {English}, urldate = {2019-12-20} } Versatile DDoS Trojan for Linux
BillGates
2014-02-06HabrValdikSS
@online{valdikss:20140206:linux:19651d6, author = {ValdikSS}, title = {{Исследуем Linux Botnet «BillGates»}}, date = {2014-02-06}, organization = {Habr}, url = {https://habrahabr.ru/post/213973/}, language = {Russian}, urldate = {2020-01-07} } Исследуем Linux Botnet «BillGates»
BillGates
Yara Rules
[TLP:WHITE] win_billgates_auto (20230407 | Detects win.billgates.)
rule win_billgates_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.billgates."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7408 3c22 7404 3c30 7504 }
            // n = 5, score = 200
            //   7408                 | xor                 al, al
            //   3c22                 | dec                 eax
            //   7404                 | mov                 ecx, dword ptr [esp + 0x40]
            //   3c30                 | dec                 eax
            //   7504                 | mov                 dword ptr [edi + 0x20], 0xf

        $sequence_1 = { 3bf0 7604 2bf0 eb04 2bc6 }
            // n = 5, score = 200
            //   3bf0                 | inc                 ecx
            //   7604                 | mov                 eax, 8
            //   2bf0                 | dec                 eax
            //   eb04                 | mov                 ecx, ebx
            //   2bc6                 | jmp                 0xde

        $sequence_2 = { 750c ff15???????? 8bd8 f7db }
            // n = 4, score = 200
            //   750c                 | push                edi
            //   ff15????????         |                     
            //   8bd8                 | dec                 eax
            //   f7db                 | sub                 esp, 0x20

        $sequence_3 = { 3c21 7408 3c23 7404 3c24 }
            // n = 5, score = 200
            //   3c21                 | lea                 edx, [ebp + 0x1c]
            //   7408                 | mul                 ecx
            //   3c23                 | shr                 edx, 2
            //   7404                 | lea                 eax, [edx + edx*4]
            //   3c24                 | lea                 edx, [ebp + 0x28]

        $sequence_4 = { 3c11 7408 3c22 7404 }
            // n = 4, score = 200
            //   3c11                 | cmp                 ecx, dword ptr [esp + 0x2c]
            //   7408                 | jbe                 0x1bf
            //   3c22                 | sub                 eax, dword ptr [esp + 0x2c]
            //   7404                 | mov                 ecx, edi

        $sequence_5 = { ff15???????? 83f8ff 7508 ff15???????? f7d8 85c0 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   83f8ff               | dec                 esp
            //   7508                 | mov                 eax, ebp
            //   ff15????????         |                     
            //   f7d8                 | dec                 eax
            //   85c0                 | lea                 edx, [esp + 0x48]

        $sequence_6 = { 3c10 740c 3c11 7408 3c22 7404 }
            // n = 6, score = 200
            //   3c10                 | mov                 byte ptr [ebp], cl
            //   740c                 | dec                 eax
            //   3c11                 | inc                 ebp
            //   7408                 | xor                 al, al
            //   3c22                 | mov                 esi, ebx
            //   7404                 | xor                 al, al

        $sequence_7 = { 740c 3c11 7408 3c22 7404 3c30 7504 }
            // n = 7, score = 200
            //   740c                 | mov                 ebx, dword ptr [ebx + 0x30]
            //   3c11                 | dec                 ecx
            //   7408                 | mov                 ebp, dword ptr [ebx + 0x38]
            //   3c22                 | dec                 eax
            //   7404                 | mov                 dword ptr [esp + 0x78], ebp
            //   3c30                 | dec                 eax
            //   7504                 | mov                 ecx, dword ptr [esp + 0x50]

        $sequence_8 = { 3c21 7408 3c23 7404 }
            // n = 4, score = 200
            //   3c21                 | mov                 eax, dword ptr [ebx + 0xc]
            //   7408                 | cmp                 ebx, dword ptr [eax + 0x18]
            //   3c23                 | jne                 0x1d
            //   7404                 | mov                 eax, dword ptr [ebx + 0x40]

        $sequence_9 = { 7408 3c22 7404 3c30 }
            // n = 4, score = 200
            //   7408                 | mov                 dword ptr [esp + 0x48], ebx
            //   3c22                 | mov                 dword ptr [esp + 0x38], ebx
            //   7404                 | push                ecx
            //   3c30                 | mov                 dword ptr [esp + 0x5c], ebx

    condition:
        7 of them and filesize < 801792
}
Download all Yara Rules