ValdikSS/billgates-botnet-tracker ValdikSS/billgates-botnet-tracker

  • Stars
    star
    134
  • Rank 270,967 (Top 6 %)
  • Language
    Python
  • License
    MIT License
  • Created over 10 years ago
  • Updated over 10 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ValdikSS/billgates-botnet-tracker
github

ValdikSS

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Some tools to monitor BillGates CnC servers

What's this?

Here are some tools written in Python to monitor BillGates Linux Botnet activity (DDoS commands, update commands, etc).

What's BillGates?

Well, that's a Linux botnet I've found in February, 2014. It it splitted in modules usually called atddd, cupsdd, cupsddh, ksapdd, kysapdd, sksapdd, skysapdd.

cupsdd is the main module which I call "Gates" (because it locks /tmp/gates.lock). It unpacks cupsddh ("Bill") module (the last character depends on configuration) to the directory where the cupsdd is stored (usually /etc), creates /etc/init.d/DbSecuritySpt and makes symlinks to it in /etc/rc[1-5].d/97DbSecuritySpt, establishes connection to "Gates" CnC server on IP 116.10.189.246. Newer version of "Gates" module also includes Monitor module "moni". It copies itself to /usr/bin/pojie and acts as "moni" only if ran as /usr/bin/pojie. "Bill" can perform simple DDoS.

atddd, ksapdd, kysapdd, sksapdd, skysapdd is an advanced DDoS module which I call "Melinda" (it doesn't have this name and I thought I can give it). It can perform TCP, UDP, ICMP and DNS DDoS with packet forgery. The only difference between these files is the CnC server IP address.

atddd = 202.103.178.76
ksapdd = 121.12.110.96
kysapdd = 112.90.252.76
skysapdd = 112.90.22.197
sksapdd = 112.90.252.79

How can I get this botnet?

That's pretty easy, just set your root password to "1" or something and make sure you have openssh running. You'll definitely get it in some time. It seems like the installation process is performed by an individual and not automatically.

How can I delete this botnet from my PC?

Well, I have successfully deleted this botnet by cleaning root crontab file, /etc/rc.local, /etc/init.d/DbSecuritySpt, /etc/rc[1-5].d/97DbSecuritySpt, all the botnet files from /etc (they all have SUID bit and some of them have Immunitable bit), /etc/conf.n, /etc/cmd.n, /tmp/*.lock and /usr/bin/pojie. But beware, "Bill" module has some code to execute insmod /usr/lib/xpacket.ko and write something to /usr/lib/libamplify.so so your PC could be easily infected by rootkit (although I haven't seen any).

More information

You can read my writeup in Russian (or Google-translated)

More Repositories

1

GoodbyeDPI

GoodbyeDPI — Deep Packet Inspection circumvention utility (for Windows)
C
9,201
star
2

blockcheck

Russian ISP blocking type checker NOTE: NOT WORKING CURRENTLY. ВНИМАНИЕ: НЕ РАБОТАЕТ НА ТЕКУЩИЙ МОМЕНТ
Python
1,315
star
3

Super-UEFIinSecureBoot-Disk

Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot
602
star
4

windows2usb

Windows 7/8/8.1/10/11 ISO to Flash Drive burning utility for Linux (MBR/GPT, BIOS/UEFI, FAT32/NTFS)
Shell
585
star
5

tor-relay-scanner

Tor Relay availability checker, for using it as a bridge in countries with censorship
Python
215
star
6

p0f-mtu

p0f with patches to save MTU value and export it via API (for VPN detection)
C
213
star
7

aceproxy

Ace Stream HTTP Proxy. ABANDONED! NO SUPPORT WHATSOEVER!
Python
194
star
8

openvpn-fix-dns-leak-plugin

OpenVPN plugin to fix Windows DNS Leaks
C
161
star
9

nat-traversal-github-actions-openvpn-wireguard

OpenVPN and WireGuard server on GitHub Actions: representative NAT traversal case
Shell
159
star
10

skype-poll-fix

Reduce Skype CPU load on Linux and Mac OS
C
136
star
11

p0f-mtu-script

WITCH?(VPN detector) source code
PHP
108
star
12

huawei_oled_hijack

Advanced on-screen menu for Huawei E5372, E5577, E5377, E5770, E5885 (and probably others) portable LTE routers
C
93
star
13

endless-sosuch

Endless WebM player from 2ch.hk
Python
65
star
14

thinkpad-shahash

Script to recompute SHA1 hashes for Lenovo ThinkPad Sandy Bridge laptops to get rid of 5 beeps on boot
Python
57
star
15

distvidc

Distributed video encoding
Python
49
star
16

openvpn-radiusplugin

Radiusplugin with various patches and fixes
C
36
star
17

binary_bios_measurements_parser

Linux TPM Trusted Boot binary_bios_measurements file parser/reconstructor
Python
21
star
18

openvpn-block-incoming-udp-plugin

OpenVPN plugin to prevent IP leak via UDP requests
C
20
star
19

sophos-deobfuscation-tool

Sophos Deobfuscation Tool. Deobfuscates passwords obfuscated with Sophos Obfuscation Tool.
C
14
star
20

openvpn-tunpipe

OpenVPN with ocproxy/tunsocks VPN-to-proxy ("socks2tun") support Proof-of-concept
C
13
star
21

terestun

TereStun — STUN over Teredo
Python
11
star
22

tb-tun

TB-TUN is an tiny userspace program to build 6to4/tunnelbroker/ISATAP tunnel for Linux
10
star
23

responder-brute

Brute NTLM hashes captured by Responder with hashcat or john
Python
7
star
24

tor-onionoo-mirror

Tor metrics/onionoo mirror
5
star
25

cisco-unified-cm-decryptor

Decrypts encrypted passwords stored in Cisco Unified Communication Manager backup
Python
3
star
26

inetcom-parser

Get array of TV channels with or without SID for inetcom.tv
PHP
2
star
27

fakku-dl

Fakku.net manga and doujinshi downloader
Shell
1
star