Storm Network Stress Tester: Emerging Cybersecurity Threat

Selected excerpts

The Security Engineering and Research Team (PLXsert) at Prolexic (now part of Akamai) recently published a Distributed Denial of Service (DDoS) threat advisory about a serious cyber security threat: Storm Network Stress Tester. The Storm Network Stress Tester DDoS threat advisory describes the cyber-attack, shares attack signatures and payload for attack mitigation, and explains indicators of infection by the kit. Easy-to-use DDoS tools have allow malicious actors to readily set up and control botnets. When coupled with high infection rates, attackers are able to launch major DDoS attacks against their target. Storm Network Stress Tester, a crimeware toolkit recently analyzed by PLXSert, illustrates this evolving security threat. Storm targets Windows XP (or higher) operating systems, infecting computers with malicious software that turns them into attacker-controlled, obedient zombies. Once infected, malicious actors can manipulate the computers they control remotely, allowing an almost unlimited variety of abuse. Storm’s particular specialty is DDoS – up to four DDoS attack types are supported. A single infected computer, with a single computer running a single attack type, can produce up to 12 Mbps of DDoS traffic.

What makes Storm so dangerous?

Once installed on a victim Windows machine, Storm exposes remote administration (RAT)

capabilities, enabling malicious actors to remotely upload and download files, traverse directories,

and execute programs – including downloading and running the four different DDoS attack

vectors included in Storm. However, beyond simply enabling devastating DDoS attacks, these

abilities can be used to force the infected zombie computer to perform almost any task, providing

criminals with an all-purpose crimeware platform. Sensitive data can be extracted, other

crimeware tools can be downloaded and run, and other computers can be infected.

Storm Network Stress Tester has a specific demographic target. China has a reputation for high

rates of pirated software, and 60 percent of all desktop operating systems in the country still run

Windows XP, making it the dominant operating system in China. Multiple references to China in

the source code and file names, combined with the apparent targeting of pre-Vista operating

systems, leads PLXsert to believe that Storm is targeting this massive pool of vulnerable Chinese

computers for infection. PLXSert has concluded that there is a significant risk of this kit being

used by malicious actors to launch extremely large, orchestrated botnet attacks against

organizations worldwide.

What a Storm attack looks like

Shown below in Figure 1 is a diagram showing the basic architecture of a Storm Stress Tester v3.5

tool attack, illustrating the relationship between the Command & Control server and the botnet

under its control.

Figure 1: The architecture of a Storm Stress Tester v3.5 tool attack

Get the full Storm DDoS threat advisory (www.prolexic.com/storm) for a full analysis and mitigation techniques

In the threat advisory, PLXsert provides its cybersecurity analysis of the Storm kit:

● Indicators of this crimeware kit

● Architecture

● Dropper payload generation and infection

● Fortification methods

● Command structure

● DDoS attack types, payloads and attack signatures

About Akamai

Akamai® is the leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the Company’s solutions is the Akamai Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.