Difference between revisions of "Reversing the wrath of Khan"
m (1 revision imported) |
Revision as of 16:23, 7 February 2015
(Publication) Google search: [1]
| Reversing the wrath of Khan | |
|---|---|
| |
| Botnet | Khan |
| Malware | Khan_(bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | HTTP |
| Date | 2012 / March 7, 2012 |
| Editor/Conference | Arbor SERT |
| Link | http://ddos.arbornetworks.com/uploads/2012/03/Wrath-of-Khan1.pdf arbornetworks.com (pdf) (arbornetworks.com (pdf) Archive copy) |
| Author | Jeff Edwards |
| Type | |
Abstract
“ This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling
Trojan.Khan. Khan's primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an attempt at making DDoS mitigations much more difficult. One of its techniques is to flood a victim with HTTP requests that appear to be crawler requests from search engines; this is presumably based on the quite reasonable expectation that the victim web sites will be terrified of filtering out web requests from such crawlers for fear of seriously impairing their page rankings at Google, Bing, etc., and thus becoming effectively invisible to potential customers. Fortunately, there are ways of exploiting the subtle flaws in Khan's flooding engine to safely block its attacks. This is an interesting topic by itself, one that could easily take up an entire article; however today we will focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from prying eyes such as ours.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR923,
editor = {Arbor SERT},
author = {Jeff Edwards},
title = {Reversing the wrath of Khan},
date = {07},
month = Mar,
year = {2012},
howpublished = {\url{http://ddos.arbornetworks.com/uploads/2012/03/Wrath-of-Khan1.pdf arbornetworks.com (pdf)}},
}