Difference between revisions of "Reversing the wrath of Khan"

From Botnets.fr
Jump to navigation Jump to search
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{Publication
{{Publication
|Image=Reversing the Wrath of Khan.png
|Image=Reversing the Wrath of Khan.png
|Legend=
|Botnet=Khan,
|Malware=Khan_(bot),
|CCProtocol=HTTP,
|Operation=,
|Year=2012
|Date=2012-03-07
|Editor=Arbor SERT
|Link=http://ddos.arbornetworks.com/uploads/2012/03/Wrath-of-Khan1.pdf
|Author=Jeff Edwards,
|Type=White paper
|Abstract=This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling Trojan.Khan.
 
Khan's primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an attempt at making DDoS mitigations much more difficult.  One of its techniques is to flood a victim with HTTP requests that appear to be crawler requests from search engines; this is presumably based on the quite reasonable expectation that the victim web sites will be terrified of filtering out web requests from such crawlers for fear of seriously impairing their page rankings at Google, Bing, etc., and thus becoming effectively invisible to potential customers.  Fortunately, there are ways of exploiting the subtle flaws in Khan's flooding engine to safely block its attacks.  This is an interesting topic by itself, one that could easily take up an entire article; however today we will focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from prying eyes such as ours.
|Document=
|Document=
|Licence=
|Licence=
|Video=
|Video=
|Link=http://ddos.arbornetworks.com/uploads/2012/03/Wrath-of-Khan1.pdf arbornetworks.com (pdf)
|Author=Jeff Edwards,
|NomRevue=The Arbor Networks Security Blog
|NomRevue=The Arbor Networks Security Blog
|Date=March 7, 2012
|Editor=Arbor SERT
|Year=2012
|ISBN=
|ISBN=
|Page=
|Page=
|Abstract=This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling
|Keyword=DDoS, Reverse-engineering,
Trojan.Khan.
Khan's primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to
generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an
attempt at making DDoS mitigations much more difficult.  One of its techniques is to flood a victim
with HTTP requests that appear to be crawler requests from search engines; this is presumably
based on the quite reasonable expectation that the victim web sites will be terrified of filtering out
web requests from such crawlers for fear of seriously impairing their page rankings at Google,
Bing, etc., and thus becoming effectively invisible to potential customers.  Fortunately, there are
ways of exploiting the subtle flaws in Khan's flooding engine to safely block its attacks.  This is an
interesting topic by itself, one that could easily take up an entire article; however today we will
focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from
prying eyes such as ours.
|Botnet=Khan,
|Malware=Khan_(bot),
|CCProtocol=HTTP,
|Operation=,
|Keyword=DDoS, Reverse-engineering,  
}}
}}

Latest revision as of 16:55, 31 July 2015

(Publication) Google search: [1]

Reversing the wrath of Khan
Reversing the Wrath of Khan.png
Botnet Khan
Malware Khan_(bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol HTTP
Date 2012 / 2012-03-07
Editor/Conference Arbor SERT
Link http://ddos.arbornetworks.com/uploads/2012/03/Wrath-of-Khan1.pdf (Archive copy)
Author Jeff Edwards
Type White paper

Abstract

This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling Trojan.Khan.

Khan's primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an attempt at making DDoS mitigations much more difficult. One of its techniques is to flood a victim with HTTP requests that appear to be crawler requests from search engines; this is presumably based on the quite reasonable expectation that the victim web sites will be terrified of filtering out web requests from such crawlers for fear of seriously impairing their page rankings at Google, Bing, etc., and thus becoming effectively invisible to potential customers. Fortunately, there are ways of exploiting the subtle flaws in Khan's flooding engine to safely block its attacks. This is an interesting topic by itself, one that could easily take up an entire article; however today we will focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from prying eyes such as ours.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR923,
   editor = {Arbor SERT},
   author = {Jeff Edwards},
   title = {Reversing the wrath of Khan},
   date = {07},
   month = Mar,
   year = {2012},
   howpublished = {\url{http://ddos.arbornetworks.com/uploads/2012/03/Wrath-of-Khan1.pdf}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=Reversing_the_wrath_of_Khan&oldid=4804"