Spike Toolkit: A New DDoS Threat
Transcript of Spike Toolkit: A New DDoS Threat
Spike DDoS Toolkit
A Multiplatform Botnet Threat
©2014 AKAMAI | FASTER FORWARDTM
Overview
• The Spike DDoS toolkit is a Chinese botnet toolkit discovered in 2014
• Originally targeted at desktop Linux systems, Spike may also have payloads capable of targeting Windows
• Spike has the unique ability to infect Linux ARM systems – small devices used for mobile systems and appliances
• Targeted devices include: • PCs
• Servers
• Routers
• Internet of Things (IoT devices) such as smart thermostats and washer/dryers
• Customer Premises Equipment (CPE) routing devices
• Android phones and tablets
©2014 AKAMAI | FASTER FORWARDTM
Toolkit Analysis
• Spike has a standard command-and-control panel to control
the bots, binary payloads for infection, and DDoS payload
builders
• The addition of an ARM payload suggests it may be targeting
devices such as routers and IoT appliances
• Two of the payload builders target 32 and 64-bit Linux systems
• The third, Typhoon Builder, generates a 32-bit ARM Linux
executable
• Evidence of the payloads being ported to Windows has
surfaced
• Author uses Mr. Black as a pseudonym
• Can launch SYN, DNS, UDP, and GET floods
©2014 AKAMAI | FASTER FORWARDTM
Toolkit Screenshot
©2014 AKAMAI | FASTER FORWARDTM
Observed Attack
• Several campaigns have been reported against hosts in Asia
and the U.S.
• Several Akamai customers have already been targeted
• One DDoS attack peaked at 215 Gbps and 150 Mpps
©2014 AKAMAI | FASTER FORWARDTM
Attack Analysis
• Spike has four types of attacks: SYN, GET, UDP and DNS
floods
• This assortment is fairly standard for malicious toolkits, and
includes no new attack types
• Spike also claims to include an ICMP flood, but testing has
revealed it to be nonfunctional due to poor coding
• The SYN, GET, UDP, and DNS floods are implemented
simplistically, with no fundamentally new ideas
• However, the multiplatform nature of its infections allows it to
build potentially massive botnets
©2014 AKAMAI | FASTER FORWARDTM
System Hardening
• The multi-architecture malware code found in the kit increases
its sophistication and complexity, requiring hardening
measures for each targeted OS and platform
• PLXsert anticipates further infestation and the expansion of
this DDoS botnet
• For more information, see the full threat advisory at
stateoftheinternet.com, including a YARA rule for system
hardening and a Snort rule for DDoS mitigation
©2014 AKAMAI | FASTER FORWARDTM
Conclusion
• There is a rising trend in Asian botnet activity that has targeted
Linux servers primarily, but is now diversifying to target
Windows hosts, routers, CPE and ARM-compatible Linux
distributions as well
• These botnets can thereby infect more machines and produce
sizable attack campaigns
• New multiplatform DDoS kits require system administrators to
thoroughly check and harden previously safe devices
• Spike does not use any new DDoS attacks – what it brings is
diversity in infection
• Unless there is a significant community effort, Spike and its
descendants are likely to spread further
©2014 AKAMAI | FASTER FORWARDTM
Spike DDoS Toolkit Threat Advisory
The Spike DDoS Toolkit Threat Advisory includes DDoS mitigation
details for enterprises, such as:
• Indicators of binary infection
• Command and control panel
• Toolkit variations
• Bot initialization
• DDoS payloads
• Details of an observed attack campaign
• DDoS mitigation techniques, including a SNORT rule to stop the GET
flood attack
• System hardening resources
• YARA rule for preventing bot infection
Download the full report for free at www.stateoftheinternet.com/spike
©2014 AKAMAI | FASTER FORWARDTM
About StateOfTheInternet.com
StateoftheInternet.com, brought to you by Akamai, serves as the
home for content and information intended to provide an informed
view into online connectivity and cybersecurity trends as well as
related metrics, including Internet connection speeds, broadband
adoption, mobile usage, outages, and cyber-attacks and threats.
Visitors to stateoftheinternet.com can find current and archived
versions of Akamai’s State of the Internet (Connectivity and
Security) reports, the company’s data visualizations and other
resources designed to help put context around the ever-changing
Internet landscape.