Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
If the global variable g_bDoBackdoor is set by the configuration and the BillGates process<br />
is currently running as root, MainBeikong will kill the current backdoor mode process by<br />
terminating the PID specified in /usr/bin/bsd-port/getty.lock. Similarly, the PID specified in<br />
/usr/bin/bsd-port/udevd.lock is terminated and the udevd.lock file deleted. Finally, the<br />
CSysTool::ReleaseAndStartGates function is called in order to activate the backdoor mode (gate 2)<br />
binary as getty and establish the /usr/bin/bsd-port/getty.lock file.<br />
If the process is running as root, the function CSysTool::SetBeikongPathFile is called in order to set<br />
the /tmp/notify.file with the current process’s PID value. The value of g_strMonitorFile is then<br />
passed to CSysTool::ReleaseAndStartGates in order to activate the infection monitor. If, however,<br />
the host mode process is not running as root, the /tmp/notify.file is deleted.<br />
With the initialization phase of Host mode complete, MainBeikong concludes by calling MainProcess,<br />
the core functionality of BillGates when operating in either Host or Backdoor modes. MainProcess<br />
begins by initializing five global objects:<br />
CLASS NAME GLOBAL VARIABLE DESCRIPTION<br />
CDNSCache<br />
CConfigDoing<br />
CCmdDoing<br />
CStatBase<br />
CProvinceDNS<br />
g_dnsCache<br />
g_cnfgDoing<br />
g_cmdDoing<br />
g_statBase<br />
g_provinceDns<br />
Contains a list of DNS servers as specified by the victim’s<br />
/etc/resolv.conf file plus the Google open DNS servers<br />
8.8.8.8 and 8.8.4.4.<br />
Contains the current configuration for the binary. When the<br />
configuration is stored on disk, the configuration exists in<br />
the same directory as the binary in the conf.n file.<br />
Contains the current state of the current task. When stored<br />
on disk, the state exists in the same directory as the binary<br />
in the file cmd.n.<br />
Maintains the current state of the victim machine in the<br />
same way CStatBase performs the task for Elknot.<br />
Contains a list of 302 DNS servers in China, 14 DNS servers<br />
in Taiwan, 11 DNS servers in Hong Kong, 2 DNS servers in<br />
Japan, and 2 DNS servers in Macau.<br />
MainProcess will attempt to install a kernel driver located at /usr/lib/xpacket.ko by passing the<br />
appropriate insmod command to the system function. It is unclear where the xpacket.ko file originates<br />
as it was not installed by the BillGates malware samples observed and analyzed by Novetta.<br />
Following the insmod command, another global object named CAmpResources is initialized.<br />
CAmpResources handles a list of IP addresses that are stored in /usr/lib/libamplify.so (if present).<br />
The core of BillGates, as was the case with Elknot, is the object CManager. The last object to be<br />
initialized, CManager is dynamically created and activated by calling CManager::Initialize. After<br />
activating the CManager object, MainProcess will enter an infinite loop that calls CUtility::Sleep<br />
to put the current thread to sleep in 1 minute intervals, indefinitely, in order to prevent the BillGates<br />
binary from terminating while CManager is active in another thread.<br />
When CManager::Initialize is called, the function begins initializing a significant number of<br />
subsystems, each contained within their own objects. CManager::Initialize creates and activates<br />
the following objects:<br />
THE ELASTIC BOTNET REPORT<br />
31