Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Linux Trojan Can Spy on Users by Taking Screenshots and Recording Audio (drweb.com)

Posted by Soulskill on from the take-care-when-yelling-sensitive-personal-information-at-the-screen dept.

An anonymous reader writes: Dr.Web, a Russian antivirus maker, has detected a new threat against Linux users: the Linux.Ekoms.1 trojan. It includes functionality that allows it to take screenshots and record audio. While the screenshot activity is working just fine, Dr.Web says the trojan's audio recording feature has not been turned on, despite being included in the malware's source code. "All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data. The Trojan exchanges data with the server using AbNetworkMessage."

2 of 130 comments (clear)

  1. Re:shocked, shocked i say! by Raenex · · Score: 5, Interesting

    Personal experience is that the applications shipped by the distro to do these tasks crash a lot, hang the desktop, fight with pulseaudio or require extensive configuration (hello ~/.alsasoundrc and 2005!)

    About a month ago my Debian desktop was compromised, and I figured this out because the desktop was hung. In an attempt to recover the hang, I tried to restart Gnome Shell... and I started getting audio in a foreign language of people speaking. I freaked out, shutdown my computer, and reinstalled.

    I'm generally careful about not installing fishy stuff, and I saved a copy of the hard drive after I shut it down, so if somebody wants to help see what it was I'd be willing to work with them.

  2. Re:So what I get from TFA... by budgenator · · Score: 3, Interesting

    If you don't have an antivirus solution installed on your Linux PC, you can check for Linux.Ekocms by inspecting the following two folders and seeing if you find any screengrabs:
    $HOME/$DATA/.mozilla/firefox/profiled
    $HOME/$DATA/.dropbox/DropboxCache
    Linux.Ekocms also uploads all these screenshots at regular intervals to a C&C (command and control) server via a proxy. The C&C server's IP address is hard-coded in the trojan's source code. All files are sent via an encrypted connection, so third-party reverse engineers tools would have a hard time picking up on the trojan's operations.

    sudo ln -s .mozilla/firefox/profiled /dev/null; ln -s /.dropbox/DropboxCache /dev/null

    there, upload that! Honestly I didn't even see the directory .mozilla/firefox/profiled on my machine.

    Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body.

    Yeah buddy we could have fun with that, you want data, how about a couple Gb of /dev/random!

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds