Linux trojan takes screenshots every 30 seconds, has ability to record sound

Linux trojan takes screenshots every 30 seconds, has ability to record sound

Researchers have uncovered a new Trojan horse for Linux that takes screenshots every 30 seconds and is capable of recording sound.

The team at Russian anti-virus company Dr Web has published a blog post on the malware, which it calls Linux.Ekoms.1.

Upon installation, the malware checks for two files related to DropBox or Mozilla Firefox:

  • .mozilla/firefox/profiled
  • .dropbox/DropboxCache

If either of the files is found to be present, the Linux.Ekoms.1 Trojan makes a copy of itself using the filename, and launches itself from a new directory.

Here is where the fun begins.

After connecting to a third-party server (using an address hardcoded into its code), the malware begins secretly taking screenshots in JPEG or BMP format, uploading them to the server over an encrypted connection.

Wav fileIt would appear, however, that taking screenshots is not the only capability the malware has up its sleeve.

"Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format."

Dr Web's researchers admit, however, that the sound-capture functionality does not appear to be being used by the Trojan - perhaps indicating that side of its spying is a work in progress.

Malware is become a more frequent occurrence on machines running Linux. It's not at all unusual to find Linux servers that have been hijacked into botnets, and recently ransomware has begun to rear its ugly head on the platform.

For instance, back in November, Dr Web discovered Linux.Encoder.1, a form of ransomware that encrypts a variety of common file extensions and demands up to four Bitcoins in exchange for the decryption key.

Linux ransomware demand

It wasn't long, however, before researchers at Bitdefender spotted a flaw in the malware's generation of the AES key, thereby allowing them to develop a free decryption key for affected users.

For those who think they might be infected by Linux.Ekoms.1, Dr Web recommends that they run a full scan of all disk partitions using Dr.Web Anti-virus for Linux.

As a general preventive measure, users should also implement software patches whenever available, maintain an up-to-date anti-virus product on their machines, and exercise caution when clicking on suspicious links found in emails.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

9 Responses

  1. Trev

    January 19, 2016 at 10:11 pm #

    How are machines being infected with Linux.Ekoms.1 though?

    Would be good to know where it's coming from.

    • Woland in reply to Trev.

      January 21, 2016 at 5:16 am #

      You should install it manually from the haker's repo

  2. Mohan Pednekar

    January 20, 2016 at 3:23 am #

    Would this not be detected by Avast or AVG? Why only Dr Web?

  3. Petd

    January 20, 2016 at 4:17 am #

    "using an address hardcoded into its code", why nobody downed the server yet?

  4. Garp

    January 20, 2016 at 12:29 pm #

    Neat trick. Tell the world (or just really gullible journalists) that some form of 'Bad Thing' is hitting an OS known to not have those things hit it, but don't tell *HOW* it gets on a users system, and make sure the world (or gullible journalist) knows that only they, the discoverer, has the fix and the way to find it on your system.

    Talk about falling for phishing!

  5. jscott

    January 20, 2016 at 12:51 pm #

    To put this in perspective…You could fit all the victims of Linux viruses who have been SERIOUSLY hurt in a small room. I trust Linux. As we speak this problem has probably already been resolved.

  6. Jeff Small

    January 20, 2016 at 2:18 pm #

    You're a security journalist? THe link you provided doesn't go to the description of the trojan you are discussing. You didn't put in any information about how it is spread, what to do to protect against or any other actions. Just a scare article of fluff.

    • Graham Cluley in reply to Jeff Small.

      January 20, 2016 at 2:25 pm #

      David's article links to the Dr Web technical analysis of the Trojan horse: http://vms.drweb.com/virus/?i=7924647&lng=en

      Trojan horses (unlike worms or viruses) do not replicate under their own steam, so it often isn't possible to describe how they might have been spread. Possibilities include, however, that the malware could be planted by malicious hackers on computers that contain vulnerabilities. There are plenty enough of them around…

      Ways to protect yourself include searching to see if files matching the SHA1 (3790284950a986bc28c76b5534bfe9cea1dd78b0) are on your computer and running up-to-date anti-virus software on your computer that identifies the malware.

      Nowhere in its description does Dr Web say that the malware is widespread, but it is surely still worth reminding Linux users that malware is not purely a Windows problem.

  7. Holdon M

    January 20, 2016 at 3:57 pm #

    You failed to address the point that only Dr. Web can fix it. Failing to do that is essentially a confession you're just plugging one product an spreading Fear, Uncertainty and Doubt along the way.

Leave a Reply