back to article Tiny Kobalos malware seen backdooring SSH tools, menacing supercomputers, an ISP, and more – ESET

ESET researchers say they have found a lightweight strain of malware that targets multiple OSes and has hit supercomputers, an ISP, and other organisations. Nicknamed Kobalos, the software nasty is said to be portable to Linux, the BSDs, Solaris, and possibly AIX and Windows. ESET researchers Marc-Etienne M.Léveillé and …

  1. Potemkine! Silver badge

    They should have installed Linux instead!

    Oh, wait...

    1. don't you hate it when you lose your account

      Assuming your OS is (any OS) is safe is the fail. While the info given is useful, I'm more interested in the initial attack vector.

      1. Snake Silver badge

        Re: The Fail

        His point, and I am sure I'll get downvoted for this just as he did, was that up to 2 years ago the Linux users on this forum pretty much swore (on whatever device / deity / dead relative's grave you choose) that Linux was immune to such attacks.

        But now the tune has changed.

        He's just jostling people's short (and selective) memory, that's all.

        1. Anonymous Coward
          Anonymous Coward

          @Snake - Re: The Fail

          As long as they can't tell how malware gets onto Linux servers I still consider Linux secure enough. Describing what the malware does is of little importance since once presence is established with root privilege, all OS are equal from security point of view.

          Now pawning a server by simply sending it a specially crafted file, tcp packet or web page and without any user interaction, that gets my entire attention.

          I'm not giving you a down vote but in exchange you will have to explain us what are those attacks you mention.

          1. Potemkine! Silver badge

            Re: @Snake - The Fail

            you will have to explain us what are those attacks you mention.


            1. Peter Gathercole Silver badge

              The Fail @Potemkine!

              I am also a Linux user who has posted here about no OS being completely secure, but I'm afraid that you just pointing to the CVE database with a search term of Linux does not answer the ACs request for how this particular piece of malware got onto the system.

              If you look through all of the CVE database of known vulnerabilities for Linux, the overwhelming majority of them detail problems after someone has already gained access to a system. Yes, not all of them, but you can bet your last dollar on all of the remote access problems having patches produced very quickly. Whether they're applied...

              SSH is a common vector of attack, as it is almost certainly turned on for almost all Linux systems, so this is one that needs to be understood. But reading the papers referenced, they make no mention of how the systems were initially compromised, other than the fact that some of the sites appeared to be running old levels of software, which probably contain unpatched vulnerabilities.

              But the one method that is mentioned is that one of the libraries loaded by sshd is compromised to inject code that is then run by sshd, and the /usr/bin/sshd binary is then replaced. If the site was using tripwire or another similar facility, this should be detected quite quickly.

              Both of these operations require the attacker to gain a privileged process on the target, so this indicates either a remote root vulnerability, a method of obtaining a unprivileged process plus a privilege escalation vulnerability, or some seriously lax system administration.

              in fact, the papers comment on what Kobalos can do when it is on the system, but little about how it gets on to the system.

              I suspect (and this is pure guess work based on experience) that this has been a multistage attack. I would guess that one user's account was accessed through some means such as social engineering, then this account was used to steal that users SSH private keys. Because the HPC community is fairly well connected, it is possible that the same private keys were used to access several HPC sites (because of poor credential management by the initial user), and once in, an unpatched privilege escalation was then used to inject a credential stealer into sshd that then gathered information from all of the users of that system, and then on to other systems using the same model of attack.

              This type of attack is difficult to stop, because once private SSH keys have been leaked, especially if they are used on multiple systems, they are difficult to prevent being used except by a wholesale change of key pairs. This is why it is vitally important to use different keys for different systems, and to store the private keys in as few places as is absolutely needed. Also, keep your systems, especially those exposed directly to external users, patched and up-to-date!

              This problem is not unique to SSH keys, but many users (especially in the scientific community) are very bad at following any best practice that makes it more difficult for them to do their work (I worked supporting a top 100 HPC site, I know from personal experience!)

              I also suspect that this particular problem is pretty much contained within the scientific and HPC environments,

        2. HildyJ Silver badge

          Re: The Fail

          I agree with your assessment, Snake, that it a minorly amusing joke directed at all the fans whose OS could do no wrong. Apple fanbois are notorious for it and the Linux community has its fair share as well. The appropriate attitude should be "our bad."

          We should all remember that no OS is safe. A true Blue shop running z/OS with all IBM equipment probably comes closest. But for that kind of money you'd expect it.

        3. Maventi

          Re: The Fail

          Linux user here. All of you above are correct, except that some of us never claimed Linux was immune. :)

          Be careful everyone, and patch your systems no matter what you run. See you at the pub some time!

  2. DCFusor

    Then they tell their friends, and they tell THEIR friends and...

    Since this stuff steals SSH creds, it only takes that first compromise, then you have all those logins, which in turn get you all the ones on the next batch of systems which...

    The real initial vector could be as simple as social engineering on some middling important system somewhere.

    1. Anonymous Coward
      Anonymous Coward

      @DCFusor - Re: Then they tell their friends, and they tell THEIR friends and...

      You're correct but that vulnerability is not Linux speciffic.

      1. HildyJ Silver badge

        Re: @DCFusor - Then they tell their friends, and they tell THEIR friends and...

        The attack vector isn't. The code it installs is.

        There are mitigations for the attack vector but you should address OS protections against malware assuming that credentials have been compromised.

    2. Anonymous Coward
      Anonymous Coward

      @DCFusor - Re: Then they tell their friends, and they tell THEIR friends and...

      Like a credential theft performed on a Windows machine for exemple ?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022