Security Experts:

Connect with us

Hi, what are you looking for?



Large DDoS Botnet Powered by Routers Infected With “Spike” Malware

Researchers at Incapsula have identified a massive distributed denial-of-service (DDoS) botnet made up of hijacked small office and home (SOHO) routers.

Researchers at Incapsula have identified a massive distributed denial-of-service (DDoS) botnet made up of hijacked small office and home (SOHO) routers.

According to a report published by the Imperva-owned security firm on Tuesday, several dozen of the company’s customers have been targeted over the past months by a DDoS botnet powered by tens of thousands of malware-infected routers engaged in application layer HTTP flood attacks.

Researchers have determined that the compromised devices are infected with a piece of malware known as Spike (Trojan.Linux.Spike.A) and MrBlack, a Linux bot first analyzed by the Russian security firm Dr.Web in May 2014.

Incapsula initially believed that the attackers had leveraged router firmware vulnerabilities in order to hijack the devices. However, experts determined that the malicious actors were able to easily compromise the routers because they had been remotely accessible via HTTP and SSH on their default ports, and their interface had been protected with default credentials (e.g. admin/admin). Malicious code injected into the devices was then used to scan for other routers that could be hijacked with the same technique.

The security firm noted in its report that most of the hijacked routers are ARM-based devices from wireless networking product manufacturer Ubiquiti Networks.

Incapsula analyzed a total of 13,000 malware samples found on the infected routers. On average, experts identified four variants of the Spike malware on each compromised device. They also spotted other DDoS threats, such as Dofloo, Mayday and BillGates.

The attacks against Incapsula’s customers started in late December 2014. Over a 121-day period, the company recorded attack traffic coming from more than 40,000 IP addresses spread across 1,600 global ISPs. Researchers also identified the IPs of 60 command and control (C&C) servers used by the attackers.

Attack traffic was traced back to devices located in a total of 109 countries, but more than 85 percent of the compromised routers are located in Thailand and Brazil.

According to Incapsula, the hijacked routers are being leveraged by several threat groups, including Anonymous hacktivists. Furthermore, the botnet is similar to the DDoS-for-hire service offered by the Lizard Squad, the group that became famous late last year after disrupting Sony’s PlayStation Network and Microsoft’s Xbox Live.

Reports on the Lizard Squad’s activities revealed that the group also uses hijacked routers in its attacks. Moreover, the timeline of the attacks observed by Incapsula coincides with Lizard Squad-related events, such as the launch of the DDoS-for-hire service, the disruption of the group’s website by Anonymous hacktivists, and the reemergence of the group on Twitter in April.

On the other hand, the Lizard Squad has been known to use a piece of malware detected as Linux.BackDoor.Fgt.1 to control its botnet, not Spike. This either means that the Lizard Squad has changed the malware it’s using, or that the malicious actors monitored by Incapsula are a group of copycats, experts noted.

Incapsula believes that hundreds of thousands — possibly even millions — of routers have been hijacked by malicious actors due to the poor security practices of ISPs, vendors and Internet users.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.