Incident Response, Malware, TDR

‘Spike’ toolkit scales multi-vector DDoS with Windows, Linux hosts

Distributed denial-of-service (DDoS) attacks aimed at regions of Asia and the U.S. have been linked to a new toolkit, dubbed “Spike.”

Capable of scaling large, multi-vector attacks – which include SYN flood, UDP flood, domain name system (DNS) query flood and GET floods – the toolkit can communicate and execute commands to infected Windows, Linux and ARM-based devices, researchers with Akamai Technologies' Prolexic Security Engineering and Response Team (PLXsert) found.

On Wednesday, the team published an advisory on the threat, highlighting DDoS attacks campaigns throughout the summer, which peaked at 215 gigabytes per second and 150 million packets per second in one attack.

“Binary payloads from this toolkit are dropped and executed after the successful compromise of targeted devices, which may include PCs, servers, routers, Internet of things (IoT) devices (i.e., smart thermostat systems and washer/dryers) and home-based customer premises equipment (CPE) routing devices,” the advisory said.

Leading up to the campaigns, PLXsert noticed a trend in new DDoS malware "originating from Asia," but, previously, malicious binaries primarily targeted Linux platforms, the advisory added.

The fact that Spike malware targets multiple platforms and makes use of several DDoS payloads, was a noteworthy development, the team said.

In a Wednesday interview with SCMagazine.com, David Fernandez, head of the PLXsert team, said that 15 to 20 percent of detected DDoS attacks emanated from infected CPE home-based routing devices, and that the rest were evenly distributed from Windows and Linux servers. He added that the primary sector targeted by the DDoS botnet was the entertainment industry, but that the attack methods could be “used against any enterprise industry.”

“There's not a clear motive in the attacks – there could be several different motives,” Fernandez said. “At this point, [the toolkit] is not as circulated as it could be. The point is to keep the community aware, so we are trying to warn as soon as we can to prevent it from becoming a more prevalent threat.”

So far, PLXsert has not seen the DDoS toolkit being circulated on the underground market by criminals, he said. Indicators, such as the toolkit's command-and-control panel interface being written in Mandarin Chinese, led researchers to believe that the attack group is based in some region of Asia.

Akamai created a customized Snort rule to help mitigate related DDoS attacks, as well as a YARA rule so enterprises can identify malicious payloads associated with the toolkit – both of which are in the advisory.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.