DDoS Attack Threats | Storm Network Stress Tester | Akamai Presentation2. ©2014 AKAMAI | FASTER FORWARDTM
What is Storm Network Stress Tester
• Storm is an Asian crimeware kit designed for the creation
of botnets for DDoS attacks
• Malicious actors use Storm to generate an executable
payload
Users on other computers are then tricked into
downloading and running the executable
• Once executed on a Windows XP (or higher) machine,
Storm establishes remote administration (RAT) capabilities
• Attackers can then command infected computers to
execute a DDoS attack against a target
3. ©2014 AKAMAI | FASTER FORWARDTM
Remote Administration (RAT)
• Once installed, Storm exposes RAT capabilities
• Attackers can
•Perform directory traversal
•Upload and download files
•Remotely execute commands
•Activate DDoS attack capabilities
• These versatile capabilities allow for almost any form of
cybercrime, including the extraction of sensitive personal
data and the infection of other machines
4. ©2014 AKAMAI | FASTER FORWARDTM
DDoS Capabilities
• Storm supports up to four simultaneous DDoS attack
types
• UDP, TCP, and ICMP attacks are all supported
• A single infected machine, using only a single attack type,
was able to generate up to 12 Mbps of DDoS traffic
• Potential for massive attacks by exploiting a large number
of infected hosts
5. ©2014 AKAMAI | FASTER FORWARDTM
Infection Targets
• Storm targets Microsoft Windows operating systems
(XP and later)
• Execution of Storm payloads on Vista and later
operating systems requires disabling User Access Control
(UAC) – XP lacks this feature
• However, sophisticated attackers have bypassed this
limitation to increase the rate of infection
• Storm infection still a threat to later operating systems
• Infection rates likely to be much higher on XP
6. ©2014 AKAMAI | FASTER FORWARDTM
The Chinese Connection
• The program contains multiple references to China in the
code and filenames
•i.e. - “Windows China Driver”
• Windows XP is the dominant operating system in China –
60% of desktop computers use XP
• Storm appears to be designed to infect victims running
XP operating systems in China
• Massive demographic of potential zombies means a
serious potential for massive, orchestrated DDoS attacks
against targets worldwide
7. ©2014 AKAMAI | FASTER FORWARDTM
Command Structure
• Storm follows a client-
server architecture
• Payloads are sent out
from a command-and-
control (C2) server
• Infected hosts connect
back to C2 and wait for
commands
• The C2 can then
manipulate the zombies
through RAT
commands and order
DDoS attacks
8. ©2014 AKAMAI | FASTER FORWARDTM
If you are a target of a Storm Attack
• Attackers can easily use tools like Storm to set up and
control botnets for DDoS attacks
• The Storm Network Stress Tester Threat Advisory by the
Prolexic Security Engineering and Research Team
(PLXsert) explains how to mitigate Storm DDoS attacks
•Attack signatures against Storm TCP, UDP, and ICMP
attacks
•Identifying strings in the binary and process names
9. ©2014 AKAMAI | FASTER FORWARDTM
Threat Advisory: Storm DDoS toolkit
• Download the threat advisory, Storm Network Stress
Tester, at www.prolexic.com/storm
• This DDoS threat advisory includes:
• Indicators of infection by the Storm kit
• Architecture of the crimeware kit
• Dropper payload generation and infection
• Fortification methods
• Command structure
• DDoS attack types, payloads and attack signatures
10. ©2014 AKAMAI | FASTER FORWARDTM
About Prolexic (now part of Akamai)
• We have successfully stopped DDoS attacks for more
than a decade
• Our global DDoS mitigation network and 24/7 security
operations center (SOC) can stop even the largest
attacks that exceed the capabilities of other DDoS
mitigation service providers