On February 2nd the great team at ESET released their findings on malware being used to compromise UNIX-like systems, including various distributions of Linux and also FreeBSD, named Kobalos.
Malware that targets these platforms is always of great interest to me. Having started my career in high performance computing (HPC) and then having moved into hardened Linux system architecting, I can say that it is not often we get the chance to study wide-spread malware that targets these operating systems.
Kobalos is designed to replace the ssh client and server on a host. Once installed, it replaces the normal ssh to allow collection of passwords to be used to access remote hosts. As the listening service, it creates a backdoor when a client connects with the specific TCP source port of 55201. This specific detail allows us to leverage Team Cymru’s Pure Signal™ threat reconnaissance solution to understand the potential size and scope of the Kobalos network.
Using a signature of TCP connections with a destination port of 22 and a source port of 55201, and removing noise like syn-scanners and other noisy hosts, we were able to look at the past seven days of Internet activity. With search parameters we see 3475 hosts across 1460 separate ASNs.
To read the original article:
https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/