Chinese 'Spike' DDoS botnet targets Windows, Linux and IoT devices

Multi-platform attack tool spells trouble, warns Akamai

Akamai's Prolexic division has warned of the growing threat from a Chinese toolkit that has started infecting Linux, Windows and embedded systems in order to launch DDoS attacks peaking at hundreds of Gigabits per second.

Dubbed the 'Spike' toolkit, the malware started life targeting Linux servers earlier in 2014 but now seems to have been ported to run on Windows (both PCs and servers), consumer and SME routers, and even Internet of Things (IoT) devices such as thermostats.

This means it can also infect Linux-based desktops and embedded devices running on ARM - to demonstrate this, Akamai's engineers were able to get the bot up and running on the humble Raspberry Pi home computer.

Capable of generating a surge of conventional SYN, UDP and GET traffic as well as DNS floods, the malware had already been responsible for a number of large botnet-driven attacks, including one in Asia that peaked at an alarming 215Gbps across its 'scrubbing' centres, according to Akamai.

Techworld was unable to confirm when this attack occurred although Akamai did reveal that the target was an online entertainment firm. Traffic at this level is something that would definitely have been noticed by mitigation providers although the target probably had no inkling of its scale.

"This summer Akamai mitigated huge multi-vector DDoS attack campaigns that we traced to bots controlled by the new Spike DDoS toolkit," said Akamai's security business unit senior vice president, Stuart Scholly.

"This DDoS kit is designed to build botnets from devices and platforms that system administrators may not have thought to be at risk for botnet infection in the past. Enterprises need system hardening to prevent initial infection and DDoS protection to stop DDoS attacks from the Spike bots."

Spike's binaries were probably also detected by security firms such as Dr Web in August, Akamai suggested.

The warning appears to be that a Chinese multi-platform DDoS toolkit could be about to move out of its home terrain but its underlying design is probably the most important element of this story. DDoS tools are getting more and more powerful and part of that is the ability to attack not only servers but the growing number of embedded, unmanaged systems that form the nascent IoT.

The good news is that the malware should be easy to spot, assuming people know how to defend against it. On servers, this means 'hardening' systems at Layer 3 using Access Control Lists (ACLs), or at layer 7 using signatures for systems such as SNORT or the YARA open source malware detection tool.

One thing that is certain is Spike's Chinese origins - the company has published screenshots taken from its command and control which is in Mandarin Chinese. BY coincidence - or perhaps not - barely a fortnight ago, Akamai warned of a separate piece of the Iptables and Iptablex malware targeting Linux servers, also apparently with a suspected Chinese origin.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about ARMLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E. Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place