Spike DDoS Toolkit: Multiplatform Botnet Threat Selected excerpts
The Security Engineering and Response Team (PLXsert) at Prolexic (now part of Akamai) recently published a Distributed Denial of Service (DDoS) Threat Advisory on the Spike DDoS toolkit – a new DDoS tool from Asia. The Spike Toolkit Threat Advisory analyzes the toolkit – including an overview of the source code – and shares a Snort rule, a YARA rule and instructions for attack mitigation by the target. The computer ecosystem is changing: PCs are starting to give way to mobile devices. Even regular appliances – as part of the so-called Internet of Things – are becoming embedded, Internet-capable computers. An increasing trend in DDoS activity, observed in Asia in 2014, indicates that botnet-building DDoS attackers are now targeting Linux-based systems such as desktops and servers, as well as the many ARM-based systems that run on Linux. This includes home CPE equipment, routers, and even embedded IoT systems such as smart thermostats and washer/dryers. One of the latest threats to come out of this trend is a malware kit known as Spike. Claiming to be authored by a Mr. Black, Spike can infect not only Linux operating systems, but also the ARM Linux software that powers many small or embedded systems. Evidence has surfaced that a Windows payload may exist as well. Several campaigns have been reported in Asia and the U.S.; Akamai has already mitigated several DDoS attacks against customers that were launched from these botnets. One such attack peaked at 215 gigabits per second (Gbps) and 150 million packets per second (Mpps) The Spike toolkit analyzed claimed to implement five different DDoS attack methods – SYN, DNS, UDP, GET and ICMP floods. (However, the ICMP flood was improperly implemented and nonfunctional.) Although none of these attack vectors are new and the implementations of them are simplistic, the real threat lies in its multiplatform nature – and its targeting of ARM Linux, never before seen in the DDoS ecosystem. Internet of Things systems – which combine direct Internet access with ARM Linux processors and potentially poor security – are the most interesting potential target, but routers and CPEs may also be the intended targets.
System hardening in response to this new threat is crucial. Thanks to Spike’s multiplatform nature, several kinds of systems – including some that system administrators may never have had to consider – must now be secured in case of infection. (The full Akamai DDoS threat advisory on Spike provides a YARA rule and security guidelines for this purpose) The diversification of botnet building to new systems such as embedded devices is a disturbing trend. Branching out to infecting new categories gives the potential to infect a much larger range of systems, producing botnets large enough to power massive campaigns. Systems where botnet infection had previously not even been considered – such as home appliances – must now be thoroughly checked and hardened by system
administrators. In DDoS technology, Spike is nothing new – using only typical DDoS payloads, implemented either simplistically or incorrectly – but by bringing diversity in its addition of ARM-based payloads, it stands at the forefront of the next evolution in botnet crimeware. This development is not likely to be confined to Asia for long – and unless significant community effort hardens this previously-secure class of devices and cleans up security holes, it will spread to many more machines and could lead to a surge in new payloads and signatures exploiting it. Get the full Spike DDoS Toolkit Threat Advisory with all the details
For more information on this new DDoS threat, download the full threat advisory on the Spike DDoS Toolkit. This 14-page threat advisory contains a detailed technical analysis, system hardening recommendations, and important mitigation information from PLXSert, including: • • • • • • • • •
Indicators of binary infection Command and control panel Toolkit variations Bot initialization DDoS payloads Details of an observed attack campaign DDoS mitigation techniques, including a SNORT rule to stop the GET flood attack System hardening resources YARA rule for preventing bot infection
The more you know about DDoS attacks, the better you can protect your network against cybercrime. Download the free threat advisory from StateOfTheInternet.com today.
About stateoftheinternet.com Stateoftheinternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages and cyber-attacks and threats. Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to help put context around the ever-changing Internet landscape.