A new malware kit called Spike can infect not only traditional desktops but also routers, smart thermostats, smart dryers and a host of other Internet of Things devices to herd them into massive botnets.
Spike botnets have carried out various forms of DDoS attacks including SYN, UDP, DNS query and GET floods, according to Akamai’s Prolexic Security Engineering & Response Team (PLXsert).
+ Also on Network World: Internet Crime Complaint Center warns scam uses IC3 e-mail as way to con victims | Cleveland Indians turn to SIEM in malware, botnet battle | Most websites are “One Day Wonders” – and that’s worrisome +
The Akamai team has seen Spike DDoS attacks in action in Asia and the U.S. and reports that one such attack peaked at 215Gbps and 150 million packets per second. Akamai has validated that 12,000 to 15,000 devices made up one botnet created with the kit, says David Fernandez, who heads up Akamai’s PLXsert team.
Corporate security pros need to harden devices they might not have thought were at risk as well as get traditional DDoS protection in place, Akamai says.
PLXsert and Russian anti-virus company Dr. Web say that between them they have seen the malicious Spike payload ported to Linux and Windows desktops and servers as well as ARM-based Linux devices, specifically customer routers installed by ISPs. But the ARM malware could be used to infect other devices such as smart appliances, Fernandez says.
Screen shot of the command and control interface for the Spike DDoS toolkit.
Telltale binary code on these devices is the sign that they have been infected, the company says. The Spike code consists of a single binary while the infections found by Dr. Web include several binaries and scripts. The kit interface is written in Mandarin Chinese. So far, it has not yet been seen in underground marketplaces, Fernandez says.
Timestamps on the binaries indicate they were written about six months ago. The toolkit gets its name from the word “spike” found in the code, he says.
Fernandez says his group is working on a proof of concept attack to infect IoT devices, but hasn’t done so successfully yet. “The ability of the Spike toolkit to generate an ARM-based payload suggests that the authors of such tools are targeting devices such as routers and IoT devices to expand their botnets for a post-PC era of botnet propagation,” says the Akamai advisory.
Akamai says the DDoS attacks can be mitigated using access control lists. It has written a SNORT signature that can mitigate application-layer GET flood attacks generated through the toolkit. The Akamai advisory lists sites where users can find methods for hardening the various operating systems Spike attacks.