{
	"id": "44323b0d-c8ce-48fb-b239-654027863f8a",
	"created_at": "2026-04-06T00:09:00.446566Z",
	"updated_at": "2026-04-10T13:11:26.105972Z",
	"deleted_at": null,
	"sha1_hash": "1488399fd7471a8b11c033cac1aea8bf2c453bbe",
	"title": "Notes on Linux/BillGates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51410,
	"plain_text": "Notes on Linux/BillGates\r\nArchived: 2026-04-05 22:03:42 UTC\r\nIn a previous blog post, I wrote some (extensive) notes on Linux/Xor.DDoS, also known as just Xor.DDoS, an\r\ninteresting type of Linux malware.\r\nYou can find that particular blog below, in which I give some history, details, remediation and prevention in\r\nregards to the specific threat Xor.DDoS poses:\r\nNotes on Linux/Xor.DDoS\r\nThis post will include some notes on Linux/BillGates, hereafter referred to as just 'BillGates', and rather than\r\nbeing very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps.\r\nAdditionally, after the conclusion, you will find other resources if necessary. In case of questions, comments or\r\nfeedback, leave a comment or contact me on Twitter.\r\nWhat is BillGates?\r\nBillGates is malware designed primarily for Linux, and since it is a botnet, it is mostly used for DDoS purposes.\r\nHowever, just as Xor.DDoS, it has limited rootkit and backdoor functionality and thus it's possible remote\r\ncommands are executed as well as additional malware downloaded.\r\nHow can I identify BillGates artefacts?\r\nPlease find below a table with indicators.\r\nIndicator Notes\r\n/etc/cmd.n\r\n/etc/conf.n\r\n/etc/init.d/DbSecuritySpt\r\n/etc/init.d/selinux\r\n/etc/rcX.d/97DbSecuritySpt Where X is a number, usually symlinks to /etc/init.d/DbSecuritySpt\r\n/home/ll2 Identify all files with random names in /home/\r\n/tmp/.bash_root.tmp3\r\n/tmp/.bash_root.tmp3h\r\n/tmp/bill.lock Identify all .lock files in /tmp/\r\nhttps://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html\r\nPage 1 of 4\n\n/tmp/bill.lod Contains Process ID (PID) of malware main module\r\n/tmp/gates.lod\r\n(or gates.lock)\r\nContains PID of malware main module\r\n/tmp/moni.lod\r\n(or moni.lock)\r\nContains PID of malware 'watchdog'\r\n/tmp/notify.file\r\n/usr/bin/*.lock Identify all .lock files in /tmp/\r\n/usr/bin/bsd-port/.sshd\r\n/usr/bin/bsd-port/*.lock\r\n/usr/bin/bsd-port/getty\r\n/usr/bin/bsd-port/getty/*.lock Identify all .lock files in /usr/bin/bsd-port/getty/\r\n/usr/bin/pojie Identify all files with random names in /usr/bin/\r\n/usr/lib/libamplify.so Configuration file\r\nHow can I identify BillGates DDoS modules?\r\nThese modules are usually stored in /etc/, and will have the following names:\r\natddd \r\ncupsdd \r\ncupsddh \r\nksapdd \r\nkysapdd \r\nsksapdd\r\nskysapdd\r\nIt may however be useful to use the find command in conjunction with these names, in case they are residing in a\r\ndifferent location than /etc/.\r\nHow can I identify other modifications BillGates made?\r\nBillGates does create aliases and/or modifies/replaces files which are typically used to monitor processes or the\r\nnetwork. The following may be replaced:\r\n/bin/lsof\r\n/bin/netstat\r\n/bin/ps\r\n/bin/ss\r\nhttps://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html\r\nPage 2 of 4\n\n/usr/bin/lsof\r\n/usr/bin/netstat\r\n/usr/bin/ps\r\n/usr/bin/ss\r\n/usr/sbin/lsof\r\n/usr/sbin/netstat\r\n/usr/sbin/ps\r\n/usr/sbin/ss\r\nA copy of the legitimate files is normally stored in:\r\n/usr/bin/dpkgd/\r\nAdditionally, check for any potentially created jobs by looking in:\r\n/etc/cron.X where X is a name or folder, for example /etc/cron.daily.\r\nYou may also wish to look in:\r\n/var/spool/cron/\r\nRemoval instructions\r\nWhile the ps command may be replaced, top is not. Run the top command and verify any illegitimate processes,\r\nusually they will be randomly named. Alternatively, identify the *.lod and *.lock files, and use cat for example to\r\nread them, and identify the PID of the malware.\r\nThen, use kill to end the malicious process(es), and remove the files or artefacts as indicated in the table above.\r\nAfterwards, use mv to move the legitimate files back to their original location. You can also use a file manager to\r\neasily move them, if you have one.\r\nYou may also use an anti-virus to identify and remove any malicious files, for example ClamAV does a great job -\r\nBillGates is a rather older botnet by now and thus most antiviruses should have coverage for it. Don't forget to\r\nupdate the anti-virus' signatures first, if needed.\r\nThis same explanation but step-by-step to make it easy:\r\nIdentify malicious processes: use top or check the PID in BillGates' config files;\r\nKill malicious processes: use kill -9   to kill any of its processes;\r\nRemove malicious files and folders, see the sections above;\r\nReplace potentially hijacked files and restore them to their original location, see also above:\r\nIdentify any malicious tasks and delete them as indicated above;\r\nRun top again to verify there are no malicious processes left;\r\nRun an anti-virus or anti-malware as a secondary opinion;\r\nChange your passwords, better be safe than sorry!\r\nConclusion\r\nhttps://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html\r\nPage 3 of 4\n\nWhile Linux/BillGates may not be the biggest player on the market anymore, or even not as popular or common\r\nnowadays, the threat still exists, just like Xor.DDoS.\r\nIn the resources section below, you may find additional useful links.\r\nResources\r\nSource: https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html\r\nhttps://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html"
	],
	"report_names": [
		"notes-on-linuxbillgates.html"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434140,
	"ts_updated_at": 1775826686,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1488399fd7471a8b11c033cac1aea8bf2c453bbe.pdf",
		"text": "https://archive.orkl.eu/1488399fd7471a8b11c033cac1aea8bf2c453bbe.txt",
		"img": "https://archive.orkl.eu/1488399fd7471a8b11c033cac1aea8bf2c453bbe.jpg"
	}
}