Spike DDoS toolkit details – frightening new DDoS botnet could potentially utilize Linux, Windows, and ARM IoT devices

// September 26th, 2014 // Hacking and Security

Advertisements

Partial disassembly of Spike DDoS toolkit code shows interesting hardcoded strings

Spike DDoS toolkit technical details

Spike DDoS capabilities

Security researchers have discovered an unusual, and frightening, new toolkit capable of infecting not only Windows and Linux computers, but also routers and IoTs (Internet of Things – e.g. smart thermostats). Dubbed Spike, it has demonstrated DDoS attacks as high as 215 gigabit/second against targets in Asia and the United States. Spike toolkit interfaces discovered by Akamai used Mandarin and thus, it is believed the kit originates out of China.

Thus far, no infected routers or IoTs have been found but given that Spike distributes an ARM payload in addition to 32 and 64-bit Linux binary payloads, it is believed infected IoTs are either out there or imminent. In addition, although Spike’s command and control panel only provides facilities for building of Linux and ARM payloads, it is believed that Windows infections are also possible.

Another distinguishing and unusual Spike feature is its ability to launch different types of DDoS attacks simultaneously in a multi-threaded attack. For example, attackers could spawn attacks against a single target using SYN, UDP, GET, ICMP, and DNS query floods.

Spike Command and Control (C2) interface reveals additional details

The toolkit uses a typical command and control (C2) panel, binary payloads for propagation of infected hosts, and DDoS payload builders. Thus far, only Windows-based variants of the C2 panel and DDoS payload builders (e.g. toolkit administration panel) have been discovered. Evidence of infectious payloads leans heavily towards Linux-based systems (the C2 panel provides facilities for building 32 and 64-bit Linux binary payloads) but evidence of Windows-based payloads is growing hinting that a different C2 panel binary may exist (i.e. either a newer version or a Linux-based version).

Below is a screenshot of the C2 panel (language is Mandarin Chinese). The top panel lists bots connected in the botnet network. The first bottom tab is the interface for task information while the remaining tabs provide administrative interfaces for the various DDoS payloads that Spike supports including 32-bit Linux payloads, 64-bit Linux payloads, and ARM payloads.

Advertisements

Screenshot showing Spike DDoS toolkit command and control panel interface (in Mandarin Chinese)

The method to identify infected systems is sketchy right now but binary payloads (both Linux and ARM) have been found to contain the strings “Mr.Black” and “VERS0NEX”. The same strings are also present in the initial “phone home” packet that is sent back to the command and control node (this initial packet will also contain data about the infected machine including its kernel version and CPU details).

Below are detailed characteristics regarding each of the possible attack vectors provided by Spike.

Spike Payloads (DDoS capabilities)

SYN flood

The command and control panel provides a default packet size of 40 (enough for the TCP/IP headers and an empty payload). Below is an example of a default packet with a zero-byte payload.

19:59:40.257221 IP 23.184.239.66.51517 > 192.168.20.80.80: Flags [S], seq

3376218112, win 512, length 0

E..(.=………B…P.=.P.=……P…?$……..

Spike DDoS toolkit options panelUDP flood

Size for the UDP flood is provided by the user. By default, the payload contains nothing but X’s. Below is an example UDP flood packet.

20:03:06.480378 IP 192.168.20.62.56180 > 192.168.20.80.80: UDP, length 1024

E….”@.@……>…P.t.P….XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ICMP (ping) flood

Researchers found the implementation of this payload to be flawed. The default size for the payload is specified in the command and control panel to be 2048 but the implantation only produces a 12-byte payload.

DNS flood

The command and control panel allows for specification of a target DNS server, the domain to query, and number of threads to utilize. Random sub-domains and DNS queries are generated by the toolkit.

GET flood

As with the UDP flood, the GET flood utilizes hardcoded values in the attack. The attacker is allowed to specify the target IP, port (default is 80), number of threads (default 10), and maximum packets per seconds (defaults to 20).

Spike – additional details

ARM proof-of-concept

Regarding the potential infection of IoTs (ARM devices), Akamai researchers were able to prove the concept by infecting a Raspberry Pi embedded device using the toolkit.

SNORT signature for IDS/IPS

Akamai has released a SNORT signature for anyone wishing to block the attacks at the application layer (using SNORT or SNORT signature compatible IDS/IPS).

Sources: Akamai (registration required)
Advertisements
Geek wear at Ivy and Pearl Boutique




« « Previous Article: Shellshock (Bash bug) vulnerability – critical security vulnerability discovered in Bash (Bourne-Again Shell)     » » Next Article: Rare cross-platform malware targets iOS and Android devices of Hong Kong protestors


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: