Spike DDoS Toolkit

A Multiplatform Botnet Threat

©2014 AKAMAI | FASTER FORWARDTM

Overview

• The Spike DDoS toolkit is a Chinese botnet toolkit discovered in 2014

• Originally targeted at desktop Linux systems, Spike may also have payloads capable of targeting Windows

• Spike has the unique ability to infect Linux ARM systems – small devices used for mobile systems and appliances

• Targeted devices include: • PCs

• Servers

• Routers

• Internet of Things (IoT devices) such as smart thermostats and washer/dryers

• Customer Premises Equipment (CPE) routing devices

• Android phones and tablets

©2014 AKAMAI | FASTER FORWARDTM

Toolkit Analysis

• Spike has a standard command-and-control panel to control

the bots, binary payloads for infection, and DDoS payload

builders

• The addition of an ARM payload suggests it may be targeting

devices such as routers and IoT appliances

• Two of the payload builders target 32 and 64-bit Linux systems

• The third, Typhoon Builder, generates a 32-bit ARM Linux

executable

• Evidence of the payloads being ported to Windows has

surfaced

• Author uses Mr. Black as a pseudonym

• Can launch SYN, DNS, UDP, and GET floods

©2014 AKAMAI | FASTER FORWARDTM

Toolkit Screenshot

©2014 AKAMAI | FASTER FORWARDTM

Observed Attack

• Several campaigns have been reported against hosts in Asia

and the U.S.

• Several Akamai customers have already been targeted

• One DDoS attack peaked at 215 Gbps and 150 Mpps

©2014 AKAMAI | FASTER FORWARDTM

Attack Analysis

• Spike has four types of attacks: SYN, GET, UDP and DNS

floods

• This assortment is fairly standard for malicious toolkits, and

includes no new attack types

• Spike also claims to include an ICMP flood, but testing has

revealed it to be nonfunctional due to poor coding

• The SYN, GET, UDP, and DNS floods are implemented

simplistically, with no fundamentally new ideas

• However, the multiplatform nature of its infections allows it to

build potentially massive botnets

©2014 AKAMAI | FASTER FORWARDTM

System Hardening

• The multi-architecture malware code found in the kit increases

its sophistication and complexity, requiring hardening

measures for each targeted OS and platform

• PLXsert anticipates further infestation and the expansion of

this DDoS botnet

• For more information, see the full threat advisory at

stateoftheinternet.com, including a YARA rule for system

hardening and a Snort rule for DDoS mitigation

©2014 AKAMAI | FASTER FORWARDTM

Conclusion

• There is a rising trend in Asian botnet activity that has targeted

Linux servers primarily, but is now diversifying to target

Windows hosts, routers, CPE and ARM-compatible Linux

distributions as well

• These botnets can thereby infect more machines and produce

sizable attack campaigns

• New multiplatform DDoS kits require system administrators to

thoroughly check and harden previously safe devices

• Spike does not use any new DDoS attacks – what it brings is

diversity in infection

• Unless there is a significant community effort, Spike and its

descendants are likely to spread further

©2014 AKAMAI | FASTER FORWARDTM

Spike DDoS Toolkit Threat Advisory

The Spike DDoS Toolkit Threat Advisory includes DDoS mitigation

details for enterprises, such as:

• Indicators of binary infection

• Command and control panel

• Toolkit variations

• Bot initialization

• DDoS payloads

• Details of an observed attack campaign

• DDoS mitigation techniques, including a SNORT rule to stop the GET

flood attack

• System hardening resources

• YARA rule for preventing bot infection

Download the full report for free at www.stateoftheinternet.com/spike

©2014 AKAMAI | FASTER FORWARDTM

About StateOfTheInternet.com

StateoftheInternet.com, brought to you by Akamai, serves as the

home for content and information intended to provide an informed

view into online connectivity and cybersecurity trends as well as

related metrics, including Internet connection speeds, broadband

adoption, mobile usage, outages, and cyber-attacks and threats.

Visitors to stateoftheinternet.com can find current and archived

versions of Akamai’s State of the Internet (Connectivity and

Security) reports, the company’s data visualizations and other

resources designed to help put context around the ever-changing

Internet landscape.