Re: To catch this malware ...
You can also use fail2ban.
This is a small script that monitors your logs, for N occurrences of regexp X in Y seconds, from the same IP number.. If this is reached, then it carries out an action, and a second action after Z seconds.
By default it monitors /var/log/auth.log, looking for ssh login failures (either wrong password, or non-existent/no-login user). If this occurs 5 times in 10 minutes, then it will invoke iptables to block all incoming traffic from that IP number to your ssh server, and then automatically unban it 10 minutes later. It can also be set to email you an alert.
It is possible to have it monitor itself, so if the same IP address gets banned 5 times in a day, they get a week's ban (tweak to your inner BOFH's content).