The new threat took its name from Greek mythology, as the Kovaloi were cunning, tiny followers of Dionysus.
ESET researchers have discovered Kobalos, one malicious software that attacks supercomputers – high-performance computing (HPC) clusters. ESET has worked with the CERN Computer Security Group and other organizations involved in tackling attacks on scientific research networks. Among the targets were a major Internet Service Provider (ISP) in Asia, an endpoint security solutions provider in North America, as well as several private servers.
Οι ερευνητές της ESET έχουν επεξεργαστεί μέσω ανάστροφης μηχανικής (reverse engineering ) αυτό το μικρό, αλλά περίπλοκο malware που είναι φορητό σε πολλά λειτουργικά συστήματα, συμπεριλαμβανομένων των Linux, BSD, Solaris και πιθανώς AIX και Windows.
"We named this malware Kobalos because of the small size of the code and the cunning methods it uses. In Greek mythology, Kovalos is a small, cunning creature ", explains Marc-Etienne Léveillé, who studied Kobalos. "It should be noted that this level of complexity rarely occurs in Linux malware," adds Léveillé.
Kobalos is one backdoor cuts containing commands that do not reveal the intent of the attackers. “In short, Kobalos provides remote access to system "It allows you to play terminal sessions and allow proxy connections to other servers that are infected with Kobalos," says Léveillé.
Anyone server infected by Kobalos can with a single command from the operators turn into a Command & Control (C&C) server. As the IP addresses and ports of the C&C server are built into the executable, operators can then create new instances of Kobalos that use this new C&C server. Additionally, on most systems infected by Kobalos, the SSH client steals credentials.
"The credentials of those who use the SSH client on an infected machine are recorded. "These credentials can then be used by intruders to install Kobalos on the new server," adds Léveillé. Creating two-factor authentication to connect to SSH servers will mitigate the threat, as using stolen credentials seems to be one of the ways in which it can spread to different systems.
More technical details about Kobalos can be found at blogpost “Kobalos - A complex Linux threat to high performance computing infrastructure”At WeLiveSecurity.
