Linux trojan takes screenshots every 30 seconds, has ability to record sound

David bisson
David Bisson

Linux trojan takes screenshots every 30 seconds, has ability to record sound

Researchers have uncovered a new Trojan horse for Linux that takes screenshots every 30 seconds and is capable of recording sound.

The team at Russian anti-virus company Dr Web has published a blog post on the malware, which it calls Linux.Ekoms.1.

Upon installation, the malware checks for two files related to DropBox or Mozilla Firefox:

Sign up to our free newsletter.
Security news, advice, and tips.
  • .mozilla/firefox/profiled
  • .dropbox/DropboxCache

If either of the files is found to be present, the Linux.Ekoms.1 Trojan makes a copy of itself using the filename, and launches itself from a new directory.

Here is where the fun begins.

After connecting to a third-party server (using an address hardcoded into its code), the malware begins secretly taking screenshots in JPEG or BMP format, uploading them to the server over an encrypted connection.

Wav fileIt would appear, however, that taking screenshots is not the only capability the malware has up its sleeve.

“Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format.”

Dr Web’s researchers admit, however, that the sound-capture functionality does not appear to be being used by the Trojan – perhaps indicating that side of its spying is a work in progress.

Malware is become a more frequent occurrence on machines running Linux. It’s not at all unusual to find Linux servers that have been hijacked into botnets, and recently ransomware has begun to rear its ugly head on the platform.

For instance, back in November, Dr Web discovered Linux.Encoder.1, a form of ransomware that encrypts a variety of common file extensions and demands up to four Bitcoins in exchange for the decryption key.

Linux ransomware demand

It wasn’t long, however, before researchers at Bitdefender spotted a flaw in the malware’s generation of the AES key, thereby allowing them to develop a free decryption key for affected users.

For those who think they might be infected by Linux.Ekoms.1, Dr Web recommends that they run a full scan of all disk partitions using Dr.Web Anti-virus for Linux.

As a general preventive measure, users should also implement software patches whenever available, maintain an up-to-date anti-virus product on their machines, and exercise caution when clicking on suspicious links found in emails.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

9 comments on “Linux trojan takes screenshots every 30 seconds, has ability to record sound”

  1. Trev

    How are machines being infected with Linux.Ekoms.1 though?

    Would be good to know where it's coming from.

    1. Woland · in reply to Trev

      You should install it manually from the haker's repo

  2. Mohan Pednekar

    Would this not be detected by Avast or AVG? Why only Dr Web?

  3. Petd

    "using an address hardcoded into its code", why nobody downed the server yet?

  4. Garp

    Neat trick. Tell the world (or just really gullible journalists) that some form of 'Bad Thing' is hitting an OS known to not have those things hit it, but don't tell *HOW* it gets on a users system, and make sure the world (or gullible journalist) knows that only they, the discoverer, has the fix and the way to find it on your system.

    Talk about falling for phishing!

  5. jscott

    To put this in perspective…You could fit all the victims of Linux viruses who have been SERIOUSLY hurt in a small room. I trust Linux. As we speak this problem has probably already been resolved.

  6. Jeff Small

    You're a security journalist? THe link you provided doesn't go to the description of the trojan you are discussing. You didn't put in any information about how it is spread, what to do to protect against or any other actions. Just a scare article of fluff.

    1. Graham CluleyGraham Cluley · in reply to Jeff Small

      David's article links to the Dr Web technical analysis of the Trojan horse:

      Trojan horses (unlike worms or viruses) do not replicate under their own steam, so it often isn't possible to describe how they might have been spread. Possibilities include, however, that the malware could be planted by malicious hackers on computers that contain vulnerabilities. There are plenty enough of them around…

      Ways to protect yourself include searching to see if files matching the SHA1 (3790284950a986bc28c76b5534bfe9cea1dd78b0) are on your computer and running up-to-date anti-virus software on your computer that identifies the malware.

      Nowhere in its description does Dr Web say that the malware is widespread, but it is surely still worth reminding Linux users that malware is not purely a Windows problem.

  7. Holdon M

    You failed to address the point that only Dr. Web can fix it. Failing to do that is essentially a confession you're just plugging one product an spreading Fear, Uncertainty and Doubt along the way.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.