Doesn't seem terribly useful. I mean it only obscures that it prints "ok". If you're looking at the logs, you probably already figured out someone is attacking you, and if you didn't, seeing "echo ok" will not help you figure it out.
If the only thing the command does is "obscure what it does", then the only thing it obscures is "obscure what it does". I guess there's no requirement that whoever writes these scripts is a genuis.
People writing malware generally don't want to deploy it on honeypots, because then they're handing their payload (and other tradecraft) directly to analysts.
So often the first stage is an attempt at honeypot detection, or more broadly, device fingerprinting.
A bad honeypot might not even run a real /bin/sh, and this detects that right off the bat.
lucianbr|1 year ago
If the only thing the command does is "obscure what it does", then the only thing it obscures is "obscure what it does". I guess there's no requirement that whoever writes these scripts is a genuis.
Retr0id|1 year ago
So often the first stage is an attempt at honeypot detection, or more broadly, device fingerprinting.
A bad honeypot might not even run a real /bin/sh, and this detects that right off the bat.