VIRTUALPITA (LINUX)
Mandiant discovered two (2) additional VIRTUALPITA samples listening on TCP port 7475 that were persistent as an init.d startup service on Linux vCenter systems. To disguise themselves, the binaries shared the name of the legitimate binary ksmd. KSMD (Kernel Same-Page Merging Daemon) is normally in charge of memory-saving de-duplication on Linux and would not be listening on this port. The samples were found under the following directories:

/usr/libexec/setconf/ksmd (MD5: 744e2a4c1da48869776827d461c2b2ec)
/usr/bin/ksmd (MD5: 93d50025b81d3dbcb2e25d15cae03428)
These backdoors were capable of arbitrary command execution, file transfer capabilities and the ability to start/stop vmsyslogd.