The Security Engineering and Research Team (PLXsert) at Prolexic (now part of Akamai) recently
published a Distributed Denial of Service (DDoS) threat advisory about a serious cyber security
threat: Storm Network Stress Tester. The Storm Network Stress Tester DDoS threat advisory
describes the cyber-attack, shares attack signatures and payload for attack mitigation, and explains
indicators of infection by the kit.
Easy-to-use DDoS tools have allow malicious actors to readily set up and control botnets. When
coupled with high infection rates, attackers are able to launch major DDoS attacks against their
target. Storm Network Stress Tester, a crimeware toolkit recently analyzed by PLXSert, illustrates
this evolving security threat.
Storm targets Windows XP (or higher) operating systems, infecting computers with malicious
software that turns them into attacker-controlled, obedient zombies. Once infected, malicious
actors can manipulate the computers they control remotely, allowing an almost unlimited variety
of abuse. Storm’s particular specialty is DDoS – up to four DDoS attack types are supported. A
single infected computer, with a single computer running a single attack type, can produce up to
12 Mbps of DDoS traffic.
What makes Storm so dangerous?
Once installed on a victim Windows machine, Storm exposes remote administration (RAT)
capabilities, enabling malicious actors to remotely upload and download files, traverse directories,
and execute programs – including downloading and running the four different DDoS attack
vectors included in Storm. However, beyond simply enabling devastating DDoS attacks, these
abilities can be used to force the infected zombie computer to perform almost any task, providing
criminals with an all-purpose crimeware platform. Sensitive data can be extracted, other
crimeware tools can be downloaded and run, and other computers can be infected.
Storm Network Stress Tester has a specific demographic target. China has a reputation for high
rates of pirated software, and 60 percent of all desktop operating systems in the country still run
Windows XP, making it the dominant operating system in China. Multiple references to China in
the source code and file names, combined with the apparent targeting of pre-Vista operating
systems, leads PLXsert to believe that Storm is targeting this massive pool of vulnerable Chinese
computers for infection. PLXSert has concluded that there is a significant risk of this kit being
used by malicious actors to launch extremely large, orchestrated botnet attacks against
What a Storm attack looks like
Shown below in Figure 1 is a diagram showing the basic architecture of a Storm Stress Tester v3.5
tool attack, illustrating the relationship between the Command & Control server and the botnet
under its control.
Figure 1: The architecture of a Storm Stress Tester v3.5 tool attack
Get the full Storm DDoS threat advisory (www.prolexic.com/storm) for a full analysis and
In the threat advisory, PLXsert provides its cybersecurity analysis of the Storm kit:
Indicators of this crimeware kit
Dropper payload generation and infection
DDoS attack types, payloads and attack signatures
Akamai® is the leading provider of cloud services for delivering, optimizing and securing online
content and business applications. At the core of the Company’s solutions is the Akamai Intelligent
Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and
expertise. Akamai removes the complexities of connecting the increasingly mobile world,
supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To
learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world,
please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.