BillGates Backdoor

BillGates, also known as Setag, is a backdoor and distributed denial-of-service botnet generated using a builder.

Threat ID:: CC-3164
Category:: Backdoor, Botnet
Threat Severity:: Low
Threat Vector:
Published:: 25 July 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

BillGates, also known as Setag, is a backdoor and distributed denial-of-service botnet generated using a builder.

Affected platforms

The following platforms are known to be affected:

Linux

Linux - Most popular distributions

Elasticsearch - Versions 1.3.x prior to 1.3.8 and 1.4.x prior to version 1.4.3

ElasticSearch

Threat details

As each attacker can create their own variants with separate command and control (C2) configurations and associated botnets, there are many campaigns observed using BillGates, each with a different delivery method. Observed delivery methods include:

Installation after a successful SSH Brute force attack
Exploitation of a remote arbitrary command execution vulnerability in the Groovy scripting engine of Elasticsearch
Downloaded by other malware post exploitation

Once deployed on the target machine, BillGates carries out a series of system checks including checking for:

the presence of a debugger.
tampering of the malware's files.
previous versions of itself and updating if necessary.

To ensure BillGates is ran when the system boots up, links to its files are added to each Linux run level. Finally, the C2 server is contacted to add the infected machine to its associated botnet.

For further information

CVE-2015-1427

Remediation steps

Type	Step
	To prevent and detect an infection, ensure that: A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

To prevent and detect an infection, ensure that:

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

CVE Vulnerabilities

Status

CVE-2015-1427

Last edited: 14 February 2020 2:48 pm