Reversing the wrath of Khan

Jump to: navigation, search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Reversing the wrath of Khan
Reversing the Wrath of Khan.png
Botnet Khan
Malware Khan_(bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol HTTP
Date 2012 / 2012-03-07
Editor/Conference Arbor SERT
Link (Archive copy)
Author Jeff Edwards
Type White paper


This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling Trojan.Khan.

Khan's primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an attempt at making DDoS mitigations much more difficult. One of its techniques is to flood a victim with HTTP requests that appear to be crawler requests from search engines; this is presumably based on the quite reasonable expectation that the victim web sites will be terrified of filtering out web requests from such crawlers for fear of seriously impairing their page rankings at Google, Bing, etc., and thus becoming effectively invisible to potential customers. Fortunately, there are ways of exploiting the subtle flaws in Khan's flooding engine to safely block its attacks. This is an interesting topic by itself, one that could easily take up an entire article; however today we will focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from prying eyes such as ours.


   editor = {Arbor SERT},
   author = {Jeff Edwards},
   title = {Reversing the wrath of Khan},
   date = {07},
   month = Mar,
   year = {2012},
   howpublished = {\url{}},