Reversing the Wrath of Khan
Analysis of the crypto used by the Trojan.Khan DDoS bot
A recent blog post described our analysis of the crypto algorithm used by the Armageddon DDoS malware. This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling Trojan.Khan.
Khan’s primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an attempt at making DDoS mitigations much more difficult. One of its techniques is to flood a victim with HTTP requests that appear to be crawler requests from search engines; this is presumably based on the quite reasonable expectation that the victim web sites will be terrified of filtering out web requests from such crawlers for fear of seriously impairing their page rankings at Google, Bing, etc., and thus becoming effectively invisible to potential customers. Fortunately, there are ways of exploiting the subtle flaws in Khan’s flooding engine to safely block its attacks. This is an interesting topic by itself, one that could easily take up an entire artile; however today’s posting we will focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from prying eyes (such as ours.)
We named it Khan because the first sample we analyzed in depth was originally named khan.exe. Unfortunately, Khan is written in Delphi, which makes the task of reversing it a bit more unpleasant than if it had been written in nice, clean C or C++. In fact, we have seen quite a few new Delphi-based DDoS malware families lately, and are hoping that this is just a temporary blip and not a long-term trend.
Kkan obfuscates its sensitive strings, in particular it’s command & control URLs, using a custom crypto algorithm. Breaking Khan’s encryption was another adventure in reversing Delphi-based malware. The complete analysis of Khan’s encryption algorithm, as well as a Khan decryption tool implemented in Python, is available in the following report:
Report: Wrath of Khan
This report represents the second installment in our ongoing series of articles describing the analysis and reversing of crypto systems found in contemporary DDoS malware.