Spike Toolkit: A New DDoS Threat

Spike DDoS Toolkit A Multiplatform Botnet Threat

Overview • The Spike DDoS toolkit is a Chinese botnet toolkit discovered in 2014 • Originally targeted at desktop Linux systems, Spike may also have payloads capable of targeting Windows • Spike has the unique ability to infect Linux ARM systems – small devices used for mobile systems and appliances • Targeted devices include: • • • • • •

PCs Servers Routers Internet of Things (IoT devices) such as smart thermostats and washer/dryers Customer Premises Equipment (CPE) routing devices Android phones and tablets

Toolkit Analysis • Spike has a standard command-and-control panel to control the bots, binary payloads for infection, and DDoS payload builders • The addition of an ARM payload suggests it may be targeting devices such as routers and IoT appliances • Two of the payload builders target 32 and 64-bit Linux systems • The third, Typhoon Builder, generates a 32-bit ARM Linux executable • Evidence of the payloads being ported to Windows has surfaced • Author uses Mr. Black as a pseudonym • Can launch SYN, DNS, UDP, and GET floods

Toolkit Screenshot

Observed Attack

• Several campaigns have been reported against hosts in Asia and the U.S. • Several Akamai customers have already been targeted • One DDoS attack peaked at 215 Gbps and 150 Mpps

Attack Analysis • Spike has four types of attacks: SYN, GET, UDP and DNS floods • This assortment is fairly standard for malicious toolkits, and includes no new attack types • Spike also claims to include an ICMP flood, but testing has revealed it to be nonfunctional due to poor coding • The SYN, GET, UDP, and DNS floods are implemented simplistically, with no fundamentally new ideas • However, the multiplatform nature of its infections allows it to build potentially massive botnets

System Hardening • The multi-architecture malware code found in the kit increases its sophistication and complexity, requiring hardening measures for each targeted OS and platform • PLXsert anticipates further infestation and the expansion of this DDoS botnet • For more information, see the full threat advisory at stateoftheinternet.com, including a YARA rule for system hardening and a Snort rule for DDoS mitigation

Conclusion • There is a rising trend in Asian botnet activity that has targeted Linux servers primarily, but is now diversifying to target Windows hosts, routers, CPE and ARM-compatible Linux distributions as well • These botnets can thereby infect more machines and produce sizable attack campaigns • New multiplatform DDoS kits require system administrators to thoroughly check and harden previously safe devices • Spike does not use any new DDoS attacks – what it brings is diversity in infection • Unless there is a significant community effort, Spike and its descendants are likely to spread further

Spike DDoS Toolkit Threat Advisory The Spike DDoS Toolkit Threat Advisory includes DDoS mitigation details for enterprises, such as: • Indicators of binary infection • Command and control panel • Toolkit variations • Bot initialization • DDoS payloads • Details of an observed attack campaign • DDoS mitigation techniques, including a SNORT rule to stop the GET flood attack • System hardening resources • YARA rule for preventing bot infection Download the full report for free at www.stateoftheinternet.com/spike ©2014 AKAMAI | FASTER FORWARDTM

About StateOfTheInternet.com StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. Visitors to stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations and other resources designed to help put context around the ever-changing Internet landscape.

Turn static files into dynamic content formats.

Create a flipbook