Jump to content
Login new information ×
Login new information

New Trojan Spies on Linux Users by Taking Screenshots and Recording Audio

Batu69

By Batu69
in Security & Privacy News

Recommended Posts

Batu69

Batu69

Posted
Posted

Only the screengrab function is active in the first version

Dr.Web, a Russian antivirus maker, has detected a new threat against Linux users, the Linux.Ekocms.1 trojan, which includes special features that allow it to take screengrabs and record audio.

Discovered four days ago, Linux.Ekocms is only the latest threat targeting Linux PCs, after the Linux.Encoder ransomware family and the Linux XOR DDoS malware had caused a large number of issues last autumn and put a dent in Linux's status as impermeable when it comes to malware infections.

Linux.Ekocms takes a screenshot every 30 seconds

According to Dr.Web, this particular trojan is part of the spyware family and was specially crafted to take a screenshot of the user's desktop every 30 seconds.

In most cases, screenshot files are always saved to the same two folders, but if the folders don't exist, the trojan will create its own when needed.

If you don't have an antivirus solution installed on your Linux PC, you can check for Linux.Ekocms by inspecting the following two folders and seeing if you find any screengrabs:

- $HOME/$DATA/.mozilla/firefox/profiled

- $HOME/$DATA/.dropbox/DropboxCache

By default, the trojan saves all files in JPEG format with a name that contains the timestamp of when the screenshot was taken. If there's an error while saving the file, the trojan will use the BPM image format.

All screengrabs are uploaded to a remote server

Linux.Ekocms also uploads all these screenshots at regular intervals to a C&C (command and control) server via a proxy. The C&C server's IP address is hard-coded in the trojan's source code. All files are sent via an encrypted connection, so third-party reverse engineers tools would have a hard time picking up on the trojan's operations.

Despite the presence of an audio recording feature in its codebase, Dr.Web says that this functionality was never active in the trojan's normal operation.

In its current form, Linux.Ekocms is a powerful reconnaissance tool, allowing attackers to get an idea of the tools a Linux user uses on a daily basis and the website they visit.

Dr.Web malware specialists have not disclosed how this malware infects Linux computers.

Article source

Link to comment
Share on other sites
  • Replies 6
  • Views 785
  • Created
  • Last Reply
steven36

steven36

Posted
Posted

How do you catch this Trojan ?  very strange they dont even say how its spread trough what they dont just come from no were.  sounds to me they just trying to scare people in buying there scanner ...I geuss we will see if its really a big deal some the other vendors  and the Linux community will  speak up

 

Anyway when on Linux I use a firewall to block all  incoming connections .  I dont share well and i checked all jpg files on my PC nothing strange here :P

 

 

Link to comment
Share on other sites
Holmes

Holmes

Posted
Posted

Dr.web malware analysts havent disclosed how you get infected.  I think that is stupid they may disclose later on.

Link to comment
Share on other sites
Pequi

Pequi

Posted
Posted
4 hours ago, steven36 said:

How do you catch this Trojan ?  very strange they dont even say how its spread trough what they dont just come from no were.  sounds to me they just trying to scare people in buying there scanner ...I geuss we will see if its really a big deal some the other vendors  and the Linux community will  speak up

 

Anyway when on Linux I use a firewall to block all  incoming connections .  I dont share well and i checked all jpg files on my PC nothing strange here :P

 

 

By clicking on an executable file, usually an attach to an email, or maybe from some website if you have permitted Flash, Java or even javascript. Or some "must have free game". Same as Windows. The malware does not need root privilages to do a screencap. Nor does it need root privilages to send data.

Firewalls blocking incoming stuff ... your router probably does that. What you need is a firewall that analyses outgoing stuff.

It's a pity there is nothing as simple as Kerio 2.1.5 for Linux. May it R.I.P. Kerio, I mean, not Linux.

:)

Link to comment
Share on other sites
Holmes

Holmes

Posted
Posted

I used kerio personal firewall to now I use comodo firewall.  I agree phishing and social engineering.

Link to comment
Share on other sites
steven36

steven36

Posted
Posted
1 hour ago, Pequi said:

By clicking on an executable file, usually an attach to an email, or maybe from some website if you have permitted Flash, Java or even javascript. Or some "must have free game". Same as Windows. The malware does not need root privilages to do a screencap. Nor does it need root privilages to send data.

Firewalls blocking incoming stuff ... your router probably does that. What you need is a firewall that analyses outgoing stuff.

It's a pity there is nothing as simple as Kerio 2.1.5 for Linux. May it R.I.P. Kerio, I mean, not Linux.

:)

This one  i posted  about early on I just done updates  that patched it on Linux Mint

 

Usually Linux is very fast  at patching stuff  but DR. Web  is a for profit Antivirus so really I dont trust them when they dont  even say how you can catch it  .  To run a antivirus on Linux  is risky anyways because you have give  it root privileges to run right... something i dont like doing .

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...