DDoS Attack Threats | Storm Network Stress Tester | Akamai Presentation

1
Storm Network Stress Tester Security Threat

• Highlights from a Prolexic DDoS Threat Advisory

2
What is Storm Network Stress Tester

• Storm is an Asian crimeware kit designed for the
  creation of botnets for DDoS attacks
• Malicious actors use Storm to generate an
  executable payload
• Users on other computers are then tricked into
  downloading and running the executable
• Once executed on a Windows XP (or higher)
  machine, Storm establishes remote administration
  (RAT) capabilities
• Attackers can then command infected computers to
  execute a DDoS attack against a target

3
Remote Administration (RAT)

• Once installed, Storm exposes RAT capabilities
• Attackers can
• Perform directory traversal
• Upload and download files
• Remotely execute commands
• Activate DDoS attack capabilities
• These versatile capabilities allow for almost any
  form of cybercrime, including the extraction of
  sensitive personal data and the infection of
  other machines

4
DDoS Capabilities

• Storm supports up to four simultaneous DDoS
  attack types
• UDP, TCP, and ICMP attacks are all supported
• A single infected machine, using only a single
  attack type, was able to generate up to 12 Mbps
  of DDoS traffic
• Potential for massive attacks by exploiting a
  large number of infected hosts

5
Infection Targets

• Storm targets Microsoft Windows operating
  systems (XP and later)
• Execution of Storm payloads on Vista and later
  operating systems requires disabling User Access
  Control (UAC) XP lacks this feature
• However, sophisticated attackers have
  bypassed this limitation to increase the rate
  of infection
• Storm infection still a threat to later
  operating systems
• Infection rates likely to be much higher on XP

6
The Chinese Connection

• The program contains multiple references to China
  in the code and filenames
• i.e. - Windows China Driver
• Windows XP is the dominant operating system in
  China 60 of desktop computers use XP
• Storm appears to be designed to infect victims
  running XP operating systems in China
• Massive demographic of potential zombies means a
  serious potential for massive, orchestrated DDoS
  attacks against targets worldwide

7
Command Structure

• Storm follows a client-server architecture
• Payloads are sent out from a command-and-control
  (C2) server
• Infected hosts connect back to C2 and wait for
  commands
• The C2 can then manipulate the zombies through
  RAT commands and order DDoS attacks

8
If you are a target of a Storm Attack

• Attackers can easily use tools like Storm to set
  up and control botnets for DDoS attacks
• The Storm Network Stress Tester Threat Advisory
  by the Prolexic Security Engineering and Research
  Team (PLXsert) explains how to mitigate Storm
  DDoS attacks
• Attack signatures against Storm TCP, UDP, and
  ICMP attacks
• Identifying strings in the binary and process
  names

9
Threat Advisory Storm DDoS toolkit

• Download the threat advisory, Storm Network
  Stress Tester, at www.prolexic.com/storm
• This DDoS threat advisory includes
• Indicators of infection by the Storm kit
• Architecture of the crimeware kit
• Dropper payload generation and infection
• Fortification methods
• Command structure
• DDoS attack types, payloads and attack
  signatures

10
About Prolexic (now part of Akamai)

• We have successfully stopped DDoS attacks for
  more than a decade
• Our global DDoS mitigation network and 24/7
  security operations center (SOC) can stop even
  the largest attacks that exceed the capabilities
  of other DDoS mitigation service providers