“In 2014, Akamai has observed a trend in new distributed denial of service (DDoS) malware originating from Asia. These binaries have been targeting Linux operating systems principally, but now PLXsert has identified a new malware kit that can also infect Windows systems and embedded devices. Several iterations of the Spike DDoS toolkit can communicate and execute commands to infected Windows, desktop Linux and ARM-based devices running the Linux operating system (OS).
Binary payloads from this toolkit are dropped and executed after the successful compromise of targeted devices, which may include PCs, servers, routers, Internet of Things (IoT) devices (i.e., smart thermostat systems and washer/dryers) and home-based customer premises equipment (CPE) routing devices.
There is a rising trend in botnet activity from Asia that has targeted Linux servers primarily, but is now diversifying and targeting Windows hosts, routers, CPE and ARM-compatible Linux distributions, as well.
DDoS attackers can gain additional resources by extending the range of devices that can be harnessed by a botnet.
The Spike DDoS botnet has produced significant DDoS attack campaigns.
The multi-platform binary payloads of the Spike DDoS toolkit add a unique diversity in bot infection with the introduction of ARM-based binary payloads.
These botnets will likely be used in attack campaigns against targets in regions beyond Asia, and against a variety of verticals.
Unless there are significant community cleanup efforts, this bot infestation is likely to spread.
There is likely to be a surge in the number of new Spike DDoS toolkit iterations that incorporate new payloads and signatures.
System administrators need to thoroughly check and harden devices that may not have been targeted or thought to be at risk for botnet infection in the past.
The toolkit has multiple DDoS payloads, including SYN flood, UDP flood, Domain Name System (DNS) query flood, and GET floods. Several campaigns have been reported against hosts in Asia and the U.S. Several Akamai customers have been targeted by DDoS attack campaigns launched from this botnet. One attack peaked at 215 gigabits per second (Gbps) and 150 million packets per second (Mpps).