The new threat took its name from Greek mythology, as the Kovaloi were cunning, tiny followers of Dionysus.
ESET researchers have discovered Kobalos, one malware which attacks supercomputers – high-performance computing (HPC) clusters. ESET has worked with the CERN Computer Security Group and other organizations involved in tackling attacks on scientific research networks. Among the targets were a major Internet Service Provider (ISP) in Asia, an endpoint security solutions provider in North America, as well as several private servers.
ESET researchers have reverse engineered this small but sophisticated malware which is portable to many operating systems including Linux, BSD, Solaris and possibly AIX and Windows.
“We named this malware Kobalos because of its small size code and the cunning methods he applies. In Greek mythology, Kobalos is a small, cunning creature," explains Marc-Etienne Léveillé, who studied Kobalos. "We should note that this level of sophistication is rarely seen in Linux malware," adds Léveillé.
Kobalos is a backdoor that contains commands that do not reveal the intent of attackers. “In short, Kobalos provides remote system access files, the ability to replay terminal sessions and allow proxy connections to other Kobalos-infected servers,” says Léveillé.
Any server infected with Kobalos can be converted to a Command & Control (C&C) server with a single command from the operators. As the IP addresses and ports of the C&C server are integrated into the executable program, operators can then create new samples of Kobalos using this new C&C server. In addition, on most systems infected with Kobalos, the SSH client steals credentials.
“The credentials of those using the SSH client on an infected machine are logged. These credentials can then be used by attackers to install Kobalos on the new server,” adds Léveillé. THE creation two-factor authentication to connect to SSH servers will mitigate the threat, as using stolen credentials appears to be one of the ways it can spread to different systems.
More technical details about Kobalos can be found at blogpost “Kobalos - A complex Linux threat to high performance computing infrastructure”At WeLiveSecurity.