Reversing the wrath of Khan

From Botnets.fr
Revision as of 00:09, 8 March 2012 by Eric.freyssinet (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Reversing the wrath of Khan
Reversing the Wrath of Khan.png
Botnet Khan
Malware Khan_(bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol HTTP
Date 2012 / March 7, 2012
Editor/Conference Arbor SERT
Link http://ddos.arbornetworks.com/uploads/2012/03/Wrath-of-Khan1.pdf arbornetworks.com (pdf) (arbornetworks.com (pdf) Archive copy)
Author Jeff Edwards
Type

Abstract

This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling

Trojan.Khan. Khan's primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an attempt at making DDoS mitigations much more difficult. One of its techniques is to flood a victim with HTTP requests that appear to be crawler requests from search engines; this is presumably based on the quite reasonable expectation that the victim web sites will be terrified of filtering out web requests from such crawlers for fear of seriously impairing their page rankings at Google, Bing, etc., and thus becoming effectively invisible to potential customers. Fortunately, there are ways of exploiting the subtle flaws in Khan's flooding engine to safely block its attacks. This is an interesting topic by itself, one that could easily take up an entire article; however today we will focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from prying eyes such as ours.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR923,
   editor = {Arbor SERT},
   author = {Jeff Edwards},
   title = {Reversing the wrath of Khan},
   date = {07},
   month = Mar,
   year = {2012},
   howpublished = {\url{http://ddos.arbornetworks.com/uploads/2012/03/Wrath-of-Khan1.pdf arbornetworks.com (pdf)}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=Reversing_the_wrath_of_Khan&oldid=2048"