Akamai’s Prolexic division has warned of the growing threat from a Chinese toolkit that has started infecting Linux, Windows and embedded systems in order to launch DDoS attacks peaking at hundreds of Gigabits per second.
Dubbed the ‘Spike’ toolkit, the malware started life targeting Linux servers earlier in 2014 but now seems to have been ported to run on Windows (both PCs and servers), consumer and SME routers, and even Internet of Things (IoT) devices such as thermostats.
This means it can also infect Linux-based desktops and embedded devices running on ARM – to demonstrate this, Akamai’s engineers were able to get the bot up and running on the humble Raspberry Pi home computer.
Capable of generating a surge of conventional SYN, UDP and GET traffic as well as DNS floods, the malware had already been responsible for a number of large botnet-driven attacks, including one in Asia that peaked at an alarming 215Gbps across its ‘scrubbing’ centres, according to Akamai.
Techworld was unable to confirm when this attack occurred although Akamai did reveal that the target was an online entertainment firm. Traffic at this level is something that would definitely have been noticed by mitigation providers although the target probably had no inkling of its scale.
"This summer Akamai mitigated huge multi-vector DDoS attack campaigns that we traced to bots controlled by the new Spike DDoS toolkit," said Akamai’s security business unit senior vice president, Stuart Scholly.
"This DDoS kit is designed to build botnets from devices and platforms that system administrators may not have thought to be at risk for botnet infection in the past. Enterprises need system hardening to prevent initial infection and DDoS protection to stop DDoS attacks from the Spike bots.”
Spike’s binaries were probably also detected by security firms such as Dr Web in August, Akamai suggested.
The warning appears to be that a Chinese multi-platform DDoS toolkit could be about to move out of its home terrain but its underlying design is probably the most important element of this story. DDoS tools are getting more and more powerful and part of that is the ability to attack not only servers but the growing number of embedded, unmanaged systems that form the nascent IoT.
The good news is that the malware should be easy to spot, assuming people know how to defend against it. On servers, this means ‘hardening’ systems at Layer 3 using Access Control Lists (ACLs), or at layer 7 using signatures for systems such as SNORT or the YARA open source malware detection tool.
One thing that is certain is Spike’s Chinese origins – the company has published screenshots taken from its command and control which is in Mandarin Chinese. BY coincidence – or perhaps not - barely a fortnight ago, Akamai warned of a separate piece of the Iptables and Iptablex malware targeting Linux servers, also apparently with a suspected Chinese origin.