Spike DDoS Toolkit: Multiplatform Botnet Threat

Selected excerpts

The Security Engineering and Response Team (PLXsert) at Prolexic (now part of Akamai)
recently published a Distributed Denial of Service (DDoS) Threat Advisory on the Spike DDoS
toolkit a new DDoS tool from Asia. The Spike Toolkit Threat Advisory analyzes the toolkit
including an overview of the source code and shares a Snort rule, a YARA rule and
instructions for attack mitigation by the target.
The computer ecosystem is changing: PCs are starting to give way to mobile devices. Even
regular appliances as part of the so-called Internet of Things are becoming embedded,
Internet-capable computers. An increasing trend in DDoS activity, observed in Asia in 2014,
indicates that botnet-building DDoS attackers are now targeting Linux-based systems such
as desktops and servers, as well as the many ARM-based systems that run on Linux. This
includes home CPE equipment, routers, and even embedded IoT systems such as smart
thermostats and washer/dryers.
One of the latest threats to come out of this trend is a malware kit known as Spike. Claiming
to be authored by a Mr. Black, Spike can infect not only Linux operating systems, but also
the ARM Linux software that powers many small or embedded systems. Evidence has
surfaced that a Windows payload may exist as well. Several campaigns have been reported
in Asia and the U.S.; Akamai has already mitigated several DDoS attacks against customers
that were launched from these botnets. One such attack peaked at 215 gigabits per second
(Gbps) and 150 million packets per second (Mpps)
The Spike toolkit analyzed claimed to implement five different DDoS attack methods SYN,
DNS, UDP, GET and ICMP floods. (However, the ICMP flood was improperly implemented
and nonfunctional.) Although none of these attack vectors are new and the
implementations of them are simplistic, the real threat lies in its multiplatform nature
and its targeting of ARM Linux, never before seen in the DDoS ecosystem. Internet of
Things systems which combine direct Internet access with ARM Linux processors and
potentially poor security are the most interesting potential target, but routers and CPEs
may also be the intended targets.

System hardening in response to this new threat is crucial. Thanks to Spikes multiplatform
nature, several kinds of systems including some that system administrators may never
have had to consider must now be secured in case of infection. (The full Akamai DDoS
threat advisory on Spike provides a YARA rule and security guidelines for this purpose)
The diversification of botnet building to new systems such as embedded devices is a
disturbing trend. Branching out to infecting new categories gives the potential to infect a
much larger range of systems, producing botnets large enough to power massive
campaigns. Systems where botnet infection had previously not even been considered
such as home appliances must now be thoroughly checked and hardened by system

administrators. In DDoS technology, Spike is nothing new using only typical DDoS
payloads, implemented either simplistically or incorrectly but by bringing diversity in its
addition of ARM-based payloads, it stands at the forefront of the next evolution in botnet
crimeware. This development is not likely to be confined to Asia for long and unless
significant community effort hardens this previously-secure class of devices and cleans up
security holes, it will spread to many more machines and could lead to a surge in new
payloads and signatures exploiting it.
Get the full Spike DDoS Toolkit Threat Advisory with all the details

For more information on this new DDoS threat, download the full threat advisory on the
Spike DDoS Toolkit. This 14-page threat advisory contains a detailed technical analysis,
system hardening recommendations, and important mitigation information from PLXSert,
including:

Indicators of binary infection

Command and control panel
Toolkit variations
Bot initialization
DDoS payloads
Details of an observed attack campaign
DDoS mitigation techniques, including a SNORT rule to stop the GET flood attack
System hardening resources
YARA rule for preventing bot infection

The more you know about DDoS attacks, the better you can protect your network against
cybercrime. Download the free threat advisory from StateOfTheInternet.com today.

About stateoftheinternet.com
Stateoftheinternet.com, brought to you by Akamai, serves as the home for content and
information intended to provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including Internet connection speeds,
broadband adoption, mobile usage, outages and cyber-attacks and threats. Visitors
to www.stateoftheinternet.com can find current and archived versions of Akamais State of
the Internet (Connectivity and Security) reports, the companys data visualizations, and
other resources designed to help put context around the ever-changing Internet landscape.