Tiny Kobalos malware seen backdooring SSH tools, menacing supercomputers, an ISP, and more – ESET

Tiny Kobalos malware seen backdooring SSH tools, menacing supercomputers, an ISP, and more – ESET

ESET researchers say they have found a lightweight strain of malware that targets multiple OSes and has hit supercomputers, an ISP, and other organisations.


Nicknamed Kobalos, the software nasty is said to be portable to Linux, the BSDs, Solaris, and possibly AIX and Windows. ESET researchers Marc-Etienne M.Léveillé and Ignacio Sanmillan appear to have analysed primarily the Linux version of the code. Here's a summary of the key findings from their research:


  • How it gets onto servers is unclear though systems infected by Kobalos have their SSH client tampered with to steal usernames and passwords, and presumably server addresses, that are typed into it. These details could be used by the malware's masterminds to log into those systems to propagate their malware. This would be especially possible if the stolen username-password combos were for superuser-level or sudoers accounts. Thus, miscreants can gradually take over more and more machines, one account at a time, from just one compromised computer. Changing the SSH client will need admin-level access, we note, or some PATH shenanigans.

  • Kobalos is typically hidden in an infected machine's OpenSSH server executable and activates a backdoor if it receives a connection from a particular source TCP port, usually 55201. Once an encrypted connection is established, this backdoor can be used like a remote terminal, executing arbitrary commands entered by its operators.

  • The malware can also connect to a command-and-control (C2) server that links the software to its masterminds. An infected server can also act as a proxy between the operators and another compromised box. Public-facing IP addresses and port numbers for these C2 ..