Cybercriminals tap into new resources for DDoS attacks

Sep 26, 2014 15:21 GMT  ·  By

A malicious tool dubbed “Spike,” used for conducting distributed denial-of-service (DDoS) attacks, started to gain popularity among cybercriminals, as it can send commands to Internet of Things (IoT) products as well as Windows and Linux systems, and ARM-based devices running Linux.

Initially, security researchers from Akamai's Prolexic Security Engineering and Research Team (PLXsert) tracking the toolkit observed that only machines running Linux were targeted; but in recent versions of the malicious tool, it has been observed that it can communicate with a wider range of devices, including routers and IoT-like smart thermostats, washers and driers, as well as CPE (customer premises equipment) routing systems.

Cybercrimininals have significant firepower

Spike integrates several DDoS payloads that allow SYN, UDP, DNS (Domain Name System) and GET floods to be directed against a specific mark.

In the campaigns observed by the researchers and which were carried out against targets in Asia and the US, the botnet managed attacks peaking at 215 Gbps and 150 Mpps (millions of packets per second).

The Trojans compromising the machines appear to be made in China and have been ported to Windows from the Linux platform, according to an analysis performed earlier this year by Doctor Web antivirus company from Russia.

Spike has several variations

In the Spike version checked by PLXsert there are three payload builders, for generating both 32- and 64-bit binaries, and one that generates a 32-bit ARM executable file.

However, according to findings from PLXsert, “the Spike DDoS toolkit contains components of a typical client-based botnet: a command and control (C2) panel, binary payloads for infection and DDoS payload builders. The C2 and the builders are Windows binaries for use by the malicious actor, while the infectious payloads were designed to target mainly Linux or other embedded devices.”

By ensuring compatibility with multiple operating systems, attackers can create a larger botnet to be leveraged in more powerful DDoS attacks.

On the upside, not all embedded devices are suitable for remote code execution, hence their exploitation would not serve the malicious actors harnessing Spike.

A trend in targeting multiple types of Internet-connected devices for running DDoS attacks is on the rise, offering cybercriminals a more diverse set of resources for carrying out their nefarious activity.

“The Spike DDoS toolkit does not use new types of DDoS attacks. Most of its payloads are typical in any DDoS toolkit. In addition, its payload implementations are either fairly simplistic or implemented incorrectly. What Spike does bring, however, is diversity in infection with the introduction of ARM-based binary payloads,” the PLXsert experts conclude.