Security Experts:

Large DDoS Botnet Powered by Routers Infected With “Spike” Malware

Researchers at Incapsula have identified a massive distributed denial-of-service (DDoS) botnet made up of hijacked small office and home (SOHO) routers.

According to a report published by the Imperva-owned security firm on Tuesday, several dozen of the company’s customers have been targeted over the past months by a DDoS botnet powered by tens of thousands of malware-infected routers engaged in application layer HTTP flood attacks.

Researchers have determined that the compromised devices are infected with a piece of malware known as Spike (Trojan.Linux.Spike.A) and MrBlack, a Linux bot first analyzed by the Russian security firm Dr.Web in May 2014.

Incapsula initially believed that the attackers had leveraged router firmware vulnerabilities in order to hijack the devices. However, experts determined that the malicious actors were able to easily compromise the routers because they had been remotely accessible via HTTP and SSH on their default ports, and their interface had been protected with default credentials (e.g. admin/admin). Malicious code injected into the devices was then used to scan for other routers that could be hijacked with the same technique.

The security firm noted in its report that most of the hijacked routers are ARM-based devices from wireless networking product manufacturer Ubiquiti Networks.

Incapsula analyzed a total of 13,000 malware samples found on the infected routers. On average, experts identified four variants of the Spike malware on each compromised device. They also spotted other DDoS threats, such as Dofloo, Mayday and BillGates.

The attacks against Incapsula’s customers started in late December 2014. Over a 121-day period, the company recorded attack traffic coming from more than 40,000 IP addresses spread across 1,600 global ISPs. Researchers also identified the IPs of 60 command and control (C&C) servers used by the attackers.

Attack traffic was traced back to devices located in a total of 109 countries, but more than 85 percent of the compromised routers are located in Thailand and Brazil.

According to Incapsula, the hijacked routers are being leveraged by several threat groups, including Anonymous hacktivists. Furthermore, the botnet is similar to the DDoS-for-hire service offered by the Lizard Squad, the group that became famous late last year after disrupting Sony’s PlayStation Network and Microsoft’s Xbox Live.

Reports on the Lizard Squad’s activities revealed that the group also uses hijacked routers in its attacks. Moreover, the timeline of the attacks observed by Incapsula coincides with Lizard Squad-related events, such as the launch of the DDoS-for-hire service, the disruption of the group’s website by Anonymous hacktivists, and the reemergence of the group on Twitter in April.

On the other hand, the Lizard Squad has been known to use a piece of malware detected as Linux.BackDoor.Fgt.1 to control its botnet, not Spike. This either means that the Lizard Squad has changed the malware it’s using, or that the malicious actors monitored by Incapsula are a group of copycats, experts noted.

Incapsula believes that hundreds of thousands -- possibly even millions -- of routers have been hijacked by malicious actors due to the poor security practices of ISPs, vendors and Internet users.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.