Tag Archives : Crypto March 2012

Reversing the Wrath of Khan

By: jedwards -

Analysis of the crypto used by the Trojan.Khan DDoS bot 

A recent blog post described our analysis of the crypto algorithm used by the Armageddon DDoS malware.  This article continues our ongoing series on reversing the crypto mechanisms used by contemporary DDoS botnets; our guest of honor today will be a bot we have been calling Trojan.Khan.

Khan’s primary purpose in life is to perform DDoS attacks; in fact, it goes to a considerable effort to generate floods of HTTP requests that are intended to appear like legitimate web traffic, in an attempt at making DDoS mitigations much more difficult.  One of its techniques is to flood a victim with HTTP requests that appear to be crawler requests from search engines; this is presumably based on the quite reasonable expectation that the victim web sites will be terrified of filtering out web requests from such crawlers for fear of seriously impairing their page rankings at Google, Bing, etc., and thus becoming effectively invisible to potential customers.  Fortunately, there are ways of exploiting the subtle flaws in Khan’s flooding engine to safely block its attacks.  This is an interesting topic by itself, one that could easily take up an entire artile; however today’s posting we will focus instead on studying the crypto algorithm used by Khan to hide its sensitive strings from prying eyes (such as ours.)

We named it Khan because the first sample we analyzed in depth was originally named khan.exe.  Unfortunately, Khan is written in Delphi, which makes the task of reversing it a bit more unpleasant than if it had been written in nice, clean C or C++.  In fact, we have seen quite a few new Delphi-based DDoS malware families lately, and are hoping that this is just a temporary blip and not a long-term trend.

Not Another Dephi Bot!

Kkan obfuscates its sensitive strings, in particular it’s command & control URLs, using a custom crypto algorithm.  Breaking Khan’s encryption was another adventure in reversing Delphi-based malware.  The complete analysis of Khan’s encryption algorithm, as well as a Khan decryption tool implemented in Python, is available in the following report:

Report: Wrath of Khan

This report represents the second installment in our ongoing series of articles describing the analysis and reversing of crypto systems found in contemporary DDoS malware.

It’s 2012 and Armageddon has arrived

By: jedwards -

Breaking Armageddon’s latest and greatest crypto reveals some interesting new functionality

Armageddon is one of several notable Russian malware families that are designed exclusively for DDoS attacks; it has been on our radar screens for some time now. Its primary competitors within the market of Russian DDoS vendors are Dirt Jumper (a.k.a. RussKill), Darkness/Optima (a.k.a. Votwup), and of course BlackEnergy.

We’ve noticed that the Armageddon code base has undergone some relatively rapid evolution lately, and the purpose of this blog post is to report on some of the new functionality we have observed. With this latest release, the bot uses some new crypto protection to hide its features from casual observers; breaking this encryption revealed some interesting goodies…

It turns out that the latest version of Armageddon contains support for a few new flavors of DDoS flooding which have been customized to target certain types of web sites. The names of the commands give some indication of the gist of the attacks: .apacheflood, .vbulletinflood, .phpbbflood, The implementation of the .apacheflood command was of particular interest; it makes use of the following (decrypted) string when formulating its flooding requests:

Range: bytes=0-,5-0,5-1,5-2,5-3,5-4,,5-1299,5-1300

This string represents an optional HTTP header that turns out to be included in DDoS flooding requests generated by the bot when performing an .apacheflood attack; this string, along with another encrypted Armageddon string, Accept-Encoding: gzip, have been associated with the so-called “Kill Apache” attack, a type of highly assymetric low-bandwidth DDoS technique that has emerged relatively recently.

In a nutshell, the Kill Apache attack abuses the HTTP protocol by requesting that the target web server return the requested URL content in a huge number of individual chunks, or byte ranges. This can cause a surprisingly heavy load on the target server; in particular, certain versions of the Apache HTTP server handle such requests extremely poorly and in some cases can be brought to their knees by a single attacking client. To our knowledge, this is the first time that the Kill Apache attack has reared its ugly head in actual botnet code in the wild, as opposed to proof-of-concept and/or standalone attack tools.

Of course, once we have taken the liberty of prying open Armageddon’s kimono, it was straightforward to write a “fake Armageddon” client that phones home to the (decrypted) C&C URL strings, and engages in communication that impersonates a real bot. This allows us to gather additional intelligence on the activities and behavioral patterns of Armageddon; in particular, we can now monitor the various Armageddon botnets to log the targets that it attacks, and the types of DDoS floods uses in those attacks. Among other things, this technique allowed us to discover that at least one of the botnets powered by the most recent Armageddon code base took part in the DDos attacks related to the recent Russian election in early December. We will continue to keep a watchful eye on Armageddon going forward.
The full article reporting the details of reversing Armageddon’s crypto, a Python decryption script – and an overview of the findings that were revealed once the strings were decrypted – is available here:
Report: It’s 2012 and Armageddon has arrived

This article is intended to be the first in an upcoming series that will provide a guided tour of the inner workings of various crypto systems that are used by contemporary DDoS malware families in order to hide their communications and sensitive data – and how to go about breaking them!

Update: Today we found some similar analysis of Armageddon and its crypto by the team at Onthar’s Malware Research Laboratory:
http://onthar.in/articles/armageddon-sample-analysis/