ESET Discovers 21 New Linux Malware Families

In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.

Re:APK & hosts files to the rescue (again)...

[arth1]

1 botnet used IP address ONLY (unusual as ICANN sinkholes those fast & I've seen an 'uptick' in it lately - perhaps hosts IS making a 'dent' in 'badguys': For that - you need a firewall block rule OR wait out ICANN).

No, you can easily block individual addresses through the routing table.
ip route add prohibit N.N.N.N
This works with networks too, like:
ip route add prohibit 185.224.136.0/23

If you have all of the nasties in a file, you can do something like this at startup, in an rc.local file or similar:
xargs -r -n1 </etc/ipblocklist ip route add prohibit

Also, while I have you here, many modern distros default to prefer DNS over /etc/hosts and only use /etc/hosts as a fallback, in which case your /etc/hosts list will not have any effect unless /etc/nsswitch.conf is modified.

Example line in /etc/nsswitch.conf that will not work:
hosts: dns [!UNAVAIL=return] files
Example line in /etc/nsswitch.conf that will work:
hosts: files dns