Network Security, Threat Management

High-performance computing malware targeting Linux, Solaris and possibly Microsoft

Newly discovered malware is targeting several platforms of high-performance computing and other high profile systems.

ESET named the malware it discovered "Kobalos" after a mythologic, small, Greek trickster creature due to its small code size packing outsized complexity.

Though originally reported to a Linux malware system, the ESET team found Kobalos on a variety of platforms, said Marc-Étienne Léveillé, a senior malware researcher at the vendor.

"We've also seen it in Solaris and there are signs it may be in some Windows systems as well," he said.

Kobalos has an SSH credential harvester and extremely generic backdoor – so generic that ESET hasn't been able to determine the motives of the attacker. It's unclear if the goal has been to take advantage of the computing power, steal data or whatever else.

The attacks have been spread out between the U.S., Europe, and Asia, and have included HPC clusters as well as university systems, a large internet service provider, personal systems, and marketing and hosting firms.

Léveillé said that it's unusual to see cross platform attacks on HPC targets, though with a codebase that doesn't use any operating system-specific commands, it wouldn't be too hard to port from one system to another.

"It's very small and very well crafted," he said.

An interesting feature of the malware is that all infected systems can be leveraged as command and control servers.

The entire code for the malware is contained in a single function called recursively, making it harder to analyze.

Léveillé said that a good practice to thwart the malware would be to prevent the credential harvesting with tried and true methods.

"Something we've said since the WINDIGO paper: Our recommendation is to run two-factor identification on SSH," he said.

For the Linux users, that may be a less common practice. Léveillé notes there are multiple free options available including one from Google, though the Google option is no longer maintained.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.