New Linux Trojan Can Spy on Users by Taking Screenshots and Recording Audio

An anonymous reader writes: Dr.Web, a Russian antivirus maker, has detected a new threat against Linux users: the Linux.Ekoms.1 trojan. It includes functionality that allows it to take screenshots and record audio. While the screenshot activity is working just fine, Dr.Web says the trojan's audio recording feature has not been turned on, despite being included in the malware's source code. "All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data. The Trojan exchanges data with the server using AbNetworkMessage."

Stupid users

Probably requires doing some stupid to get infected...
Good thing all dumb users are on other platforms, right? RIGHT?!

Re:Stupid users

It requires you to run a binary as root.

Re:Stupid users

Wrong, it only runs when you stop having sex with dogs. You should be good to go.

Re:Stupid users

[greenfruitsalad]

but why did they make a new name for it? "teamviewer" is much easier to remember.

Re:Stupid users

[Barsteward]

as they haven't disclosed how you get infected, i see this as the usual antivirus maker ploy of trying to increase sales by scare stories with nothing to back it up.

Re:Stupid users

as they haven't disclosed how you get infected, i see this as the usual antivirus maker ploy of trying to increase sales by scare stories with nothing to back it up.

It's a trojan. Not a virus.

If you don't understand how you get infected with a trojan, or maybe even why it is called 'trojan', please leave Slashdot and never come back.

Re:Stupid users

[Barsteward]

where on earth did i say it was a virus, dickhead? or shall i change "infected" to "deployed" to make your stupid nitpicking mind happier?

Re:Stupid users

where on earth did i say it was a virus, dickhead? or shall i change "infected" to "deployed" to make your stupid nitpicking mind happier?

Wow, you just totally missed his point. You asked about " how you get infected"? It's a Trojan. You "get infected" by voluntarily running the software that you think is something else. It's not some virus that embeds itself in an email, webpage, or word document and then relies on some exploit to run automatically without your knowledge. The infection mechanism is implicit in the word "trojan".

Re:Stupid users

where on earth did i say it was a virus, dickhead? or shall i change "infected" to "deployed" to make your stupid nitpicking mind happier?

Hey, hey, why don't you go somewhere else, say, Foxnews.com, and troll there? People like you make commenting on the Internet a routine of name calling and insults. Pretty sad that because of "Dickheads" like you, with a "stupid nitpicking mind" you have to ignore the comment sections on so many websites. Go, get a life.

Re:Stupid users

[Anne+Thwacks]

upskirt.viewer is more likely to be clicked.

Re: Stupid users

OH! Whew!

Re:Stupid users

[Archtech]

What I can't understand is why someone who apparently knows everything already should trouble to read a forum such as Slashdot - let alone comment, and abuse those who do not enjoy their educational advantages.

If Slashdot isn't a place where people can discuss matters in a calm, civilized way, and learn from each other, what is it? (That's a rhetorical question, by the way).

Re:Stupid users

[Barsteward]

what point? he/she totally missed my point that its about anti virus maker trying to makes sales with crap information. i couldn't care if its a trojan or virus, if you can't say how it gets onto a machine, then your case for it being a problem seems very bogus. Virtually all antivirus suppliers have come up with crap scare stories to get linux users to buy their product.

Re:Stupid users

[Barsteward]

who cares what an AC has to say? you go get a life or have the balls to at least register yourself

Re:Stupid users

[bonehead]

If Slashdot isn't a place where people can discuss matters in a calm, civilized way, and learn from each other, what is it? (That's a rhetorical question, by the way).

Thanks. I needed a good laugh!

Re:Stupid users

where on earth did i say it was a virus, dickhead? or shall i change "infected" to "deployed" to make your stupid nitpicking mind happier?

Wow, you just totally missed his point. You asked about " how you get infected"? It's a Trojan. You "get infected" by voluntarily running the software that you think is something else. It's not some virus that embeds itself in an email, webpage, or text editor document and then relies on some exploit to run automatically without your knowledge. The infection mechanism is implicit in the word "trojan".

FTFY

Re:Stupid users

[greenfruitsalad]

you need to google teamviewer. it's the most widely spread backdoor in the world. (on gnu/linux it runs as a background daemon even if you don't manually turn it on. it does not (easily) let you disable the daemon and use it ad hoc. on OS X, you can't even uninstall it without leaving crap behind)

And it's easy to get infected without realizing it

[rossz]

Simply download the package and run these steps:

1. tar xzf trojan.tar.gz
2. cd trojan
3. ./configure
4. make
5. sudo make install

back in the old days

Linux didn't support my laptop's webcam.

Re: back in the old days

[JockTroll]

Yeah. Nothing like the good old days. You would spend hours installing Linux on a laptop only to discover nothing worked and the installation had borked the Windows recovery images so you were now stuck with a useless laptop and by installing Linux you had voided the warranty. Now, thanks to systemd, not only you get to bork the laptop but you can have all sorts of malware installing itself with you none the wiser. But since the laptop is borked there's precious little they can spy upon and since the graphics card is not supported they can't flash you with ads. Ah, progress...

Re: back in the old days

That's a common misconception about systemd: just run `systemctl stop malwared` and you'll be all sorted.

Re: back in the old days

What sort of mouth breathing moron can't reinstall windows and get a few drivers organised without the recovery image? I've been doing just that for years and it really is very easy.

And if you can't handle a windows install, why on earth are you futzing around with trying to install Linux.

Slashdot users these days ....

Re: back in the old days

[Bert64]

Well if windows doesn't work without the recovery image, whats the problem with linux?
The recovery image contains a specially tuned version of windows for the specific hardware, your complaining that you cant install a generic version of linux and have everything work immediately while also complaining that a generic version of windows doesn't work immediately? If you had a specially tuned version of linux for the hardware then it would run without problems too.

Re: back in the old days

Whoooooosh.

Re: back in the old days

Actually, I think you're the one who's experiencing the ""Whoooooosh". You're a total hypocrite, and you don't even realize it.

Re: back in the old days

I lost it at "tuned version of Windows" hahahahaaaaaa that's amazing. You mean Windows + drivers + crapware right? Tuned... lol... you're too funny.

Re: back in the old days

Successful troll is succesful.

Re: back in the old days

[jedidiah]

Wah! Wah! Wah!

I wiped out my Windows partition and it was too hard to install again. Linux must be to blame!

Mebbe you shouldn't have told the Linux installer to wipe everything.

Re: back in the old days

These days I leave my Windows HD pristine (that is, no Linux on it) and just run Linux off a USB memory stick. That way, I can move my system from one machine to another, just like in the good old days of MSDOS when things used to fit on a floppy.

Re:And it's easy to get infected without realizing

[code_monkey_steve]

Simply download the package and run these steps:

It doesn't build with my version of libc. Is there a wiki or forum, or something?

Re: And it's easy to get infected without realizin

Yeah, because there are absolutely no vulnerabilities or privelege escalation exploits on a Linux system that can be exploited as infection vector.

'BOUT TIME

I was worried we'd never get in the big leagues. Linus, you can now be proud and they won't laugh at you anymore.

shocked, shocked i say!

[Gravis+Zero]

Dr.Web malware specialists have not disclosed how this malware infects Linux computers.

But they are willing to sell you their Linux antivirus software.

From what I've gathered, it's written in C++, uses Qt 5.4 or higher (that's when the enumeration value QStandardPaths::GenericDataLocation was added to Qt) and it's not self-propagating.

So basically, it's a program that has to be installed on your computer... maybe from a compromised package repo server.

Re:shocked, shocked i say!

Maybe, just maybe ... the executable is available from DrWebb, might even be a part of their "AV kit" which !miracle! finds malware and cleans it up.

Re:shocked, shocked i say!

A system cannot be compromised from a hacked repo. The packages are signed.

Re:shocked, shocked i say!

And this is why these companies use scary announcements. Most people will not understand it's a non-event. They just see the headline and panic. The media also are unskilled (that's why they're reporters and not real developers or engineers). But they know roughly what keywords mean and try to create tech-articles based on anything that'll draw in clicks, or fuel forum/comment rage. You'll find the same issue in every field. My wife is always showing similar crap regarding medical scares.

Re:shocked, shocked i say!

It makes little difference. Look how long Debian went down after a single dev account was compromised. The system is only as secure as its weakest element.

Re:shocked, shocked i say!

So basically, it's a program that has to be installed on your computer... maybe from a compromised package repo server.

I don't know..

Could it be possible for the trojan reliably get a microphone to record on a variety of Linux desktops?

There are plenty of major distributions (Fedora and openSUSE) that can't get that right. I've lost track of the hours wasted with config files because the test sound plays the distro-provided ugly little confusing control panel widget but nothing else on the system actually makes any sound. Or gotten a configuration setup just to have some layer automagically pick some random webcam's microphone as the output device on a whim.

To bad the malware authors didn't make it F/OSS. To be a functional trojan it needs to hide itself. That means requiring little to no configuration or using configuration from the app it rides in on. An application with a UI good enough that users would want to use and that could still correctly configure audio on multiple Linux desktops - including video and audio recording - would be a godsend. Don't forget that the pulse in pulseaudio stands for *click* smooth *click* *pop* *dropout* sound. Any recording algorithms that can tolerate that mess you want around when doing DSP work.

Personal experience is that the applications shipped by the distro to do these tasks crash a lot, hang the desktop, fight with pulseaudio or require extensive configuration (hello ~/.alsasoundrc and 2005!) With the ability to capture quality screenshots or video on top of audio recording this trojan might be worth installing on it's own. Just blacklist the dial-home servers at your router. Or even better, if the trojan's license permits, just binary patch out the dial-home feature with xxd and ship it in the nosrc repos. It's not like there isn't major Linux software with a gimpier name than Linux.Elkom.1.

Re:shocked, shocked i say!

[Bert64]

Key point being "went down", rather than pose any risk to their users they decided to shut everything down until they could properly investigate the breach.
Any commercial business would want to be back up and running again as soon as possible, even if that meant cutting corners.

Re:shocked, shocked i say!

[phantomfive]

Hey look, I discovered a Linux trojan that insults your mom over and over! Here is the secret source code, never revealed until now:

while [ true ]; do echo 'Your mom is fat!'; done

For $20 btc I can sell you the secret to removing it from your system. Wallet 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy I'll surely send you the info.

Re:shocked, shocked i say!

What's also great about it is that it finally uses the official, supported way of starting a user mode program automatically via a Desktop entry, rather than a nasty initscripts or .bashrc hack!

Re:shocked, shocked i say!

ctrl c

Damn, I hope don't get sued for DMCA violation for telling people how to make it stop

Re:shocked, shocked i say!

[Raenex]

Personal experience is that the applications shipped by the distro to do these tasks crash a lot, hang the desktop, fight with pulseaudio or require extensive configuration (hello ~/.alsasoundrc and 2005!)

About a month ago my Debian desktop was compromised, and I figured this out because the desktop was hung. In an attempt to recover the hang, I tried to restart Gnome Shell... and I started getting audio in a foreign language of people speaking. I freaked out, shutdown my computer, and reinstalled.

I'm generally careful about not installing fishy stuff, and I saved a copy of the hard drive after I shut it down, so if somebody wants to help see what it was I'd be willing to work with them.

Re: shocked, shocked i say!

Ie, companies are catching on to the practices that politicians have been using for a very long time? Uh oh.

Re:shocked, shocked i say!

[arth1]

It makes little difference. Look how long Debian went down after a single dev account was compromised. The system is only as secure as its weakest element.

Almost always, the weakest point in any computer chain is a human.

A signed package management system adds security if you can
a) verify that the signer is who he says he is, and not merely someone who has obtained a signing key, and
b) can be trusted, and
c) isn't a rubberstamper.

in reality, people go "oh, signed, cool!", and don't think about it. If there are ten admins working for a repo, and a couple of sysadmins, and an unknown number of past workers who may or may not hold grudges, do you really want to trust them all? How does a signature help then?

Re:shocked, shocked i say!

Just to be sure: were you or someone in your home perhaps watching foreign films on the web before this happened?

Re:shocked, shocked i say!

[Raenex]

Just to be sure: were you or someone in your home perhaps watching foreign films on the web before this happened?

No, and I'm the only person who runs any kind of Linux in the house. It was clearly too people speaking conversationally, coming through loud and clear on my PC speakers, with background home noises. I wish I had recorded some of the conversation before shutting it down, but I freaked out.

Re:shocked, shocked i say!

while echo 'Your mom is fat!'; do _=; done

Those kids can't code...

Re:shocked, shocked i say!

[thegarbz]

I tried to restart Gnome Shell... and I started getting audio in a foreign language of people speaking.

You fool. We finally found someone who was able to get remote audio working on Linux and you hung up on them!

haha

[ouachiski]

Jokes on them, my headless Linux box doesn't have a microphone. I will go back to playing my xbox1 on my Samsung tv while asking Siri for game pointers...

oh noes

has detected a new threat against Linux users

What, all twelve of them?

Re:oh noes

has detected a new threat against Linux users

What, all twelve of them?

I suppose you are using a windows phone or surface rt and are puzzled as to why there are more Linux users in the world than WP OS and WInRT users combined? I give the guys at DrWeb credit for trying to make money from us skin flint Linux users. Considering the fact that Mint Linux is starting to really catch on and has more users than WP OS and Surface RT users combined and it is only one distro that has millions of users. The fact that old computers and laptops are easily made to efficiently work by the millions in a large part because of Linux, your troll is starting to wear a little thin, and many people know it.

The truth is Windows is quickly becoming irrelevant on the home desktop because of the blatantly obvious planned obsolescence built into Windows. Hell I have a 6 year old atom 512 dual core 64 mini desktop with 4 gig of ram and it runs 7 fine. But is not compatible of running Win 10 and this is by design! When 7 goes for a shit and loses support I am almost willing to bet that most hardware that has been obsoleted by Microshaft will run the latest linux kernel and destops just fine.

Same goes for my old T42 non pae laptop which still gets 4-5 hours on a nine cell. All you have to do is know which kernel to run and bingo you can even run non PAE 32 mode procs on Linux...TRY THAT with windows! Stop trying to obscure the truth and spread bullshit about linux desktop distros, they are stellar at keeping the best gear from being thrown in the garbage dump and more and more people are starting to realize the truth about how advanced and flexible linux has really become in the past 15 years or so.

So I don't blame the antivirus snake oil salesmen for trying to get on the band wagon because Windows is more secure only because most people who hose their old gear just trash it after Windows obsoletes it. The whole desktop computer industry is changing and there is starting to be a large market for Linux because of the way it can keep gear going.

Re: oh noes

The truth is that Windows 10 boasts a number of installations that loonix losers couldn't dream in a million years. The battle for the desktop is long past and loonix losers showed up armed with snowballs at a tank fight.

Re: oh noes

[mmiscool]

Its a post PC world. Android is Linux based, iOS uses UNIX and you keep a PC around to use as what? A boat anchor?

Re: oh noes

And you use what? A phone for banking, etc? I don't think there is a phone or tablet out there that isn't compromised before it leaves the factory.

Re: oh noes

[Anne+Thwacks]

Fortunately Windows PCs are not compromised until Windows is installed.

Oh, Wait ...

Re: oh noes

The truth is that Windows 10 boasts a number of installations that loonix losers couldn't dream in a million years. The battle for the desktop is long past and loonix losers showed up armed with snowballs at a tank fight.

LOL Win 10 is a suck ass disto from Microshaft that cannot even play a DVD without installing VLC! What a piece of shit if you like to watch old DVDs or if you have gear that is older. I was on the tech preview and when the release came the assholes removed all sorts of features and regressed the audio api. And Cortana is an absolute piece of shit it sucks dead horse balls with conexsant HD mikes and chips that are not even 4 years in the making for shits sake! Whereas Intel HD audio, web cam, and even firewire works without a hitch on my newer Lenovo T500 with Linux.

In contrast on the same laptop the fucking AMD graphics are not even supported properly and the 7 drivers are completely bjorked so I have to switch back to shitty intel graphic because it has both. But the radeon drivers in linux Xorg work perfectly! So don't give me bullshit about how great windows 10 is, the assholes in Redmond have their fingers up their collective assholes and they are hell bent on filling the worlds garbage dumps with old computers. They could easily repack an older OS like 7 and update it and sell it to people who have older gear and have it work with older drivers but instead the new shiny "all your files are belong to the cloud" bullshit OS is what they are peddling.

Re: oh noes

The world authority (not) has just spoken. He is the master of all things mystical and the fountain of all knowledge with the perfect sampleset (sarcasm) for all things! When he speaks in absolutes for everyone you know it must be true (yea, right). He is the all-knowing and all-seeing ultimate word on everything (sarcasm). When he voices his views he is the ultimate last word (not) since he is smart and everyone else is stupid by comparison.

Re: And it's easy to get infected without realizin

for bsp in range(0,28):
      print("^H")

So what I get from TFA...

I can break this thing by entering runlevel 3, deleting its ~/.config/autostart entry, and restarting X? And check for it by... looking for it there?

Or at the very worst, by rebooting to single-user and doing this?

Re:So what I get from TFA...

I can break this thing by entering runlevel 3, deleting its ~/.config/autostart entry, and restarting X? And check for it by... looking for it there?

Or at the very worst, by rebooting to single-user and doing this?

Not on Ubuntu, R2 is Full multi-user mode and R3-5 are effectively the same as R3 so Ubuntu effectively jumps straight from R2 to R6 and with systemctl runlevels effectively do not exist they have been replaced by targets so runlevels don't seem to have much meaning anymore. The target for runlevel 3 on recent Fedora versioins for example is 'systemctl isolate multi-user.target '.

Re:So what I get from TFA...

Ugh... ****ing systemd... So make that "by looking up whatever long systemd command does the equivalent of 'init 3', running that, deleting its desktop autostart, looking up whatever systemd command does the equivalent of 'init 5', then running that" I suppose.

My hypothesis being, I gather that it does things which would depend on X being available, thus being in console mode would break it. I have no particular evidence for/against that, but if the thing puts itself in your desktop autostart I assume it's because it's unable to set itself up as an autostarted system service...

That said, the actual steps are the same as with any confirmed system intrusion:
(1) Confirm that system is compromised and if possible time of compromise
(2) Nuke system partitions and repave from scratch, because seriously, can you ever *really* trust this box again?
(3) Restore /home from backups... or at least mark all binary files postdating the intrusion non-executable

Re:So what I get from TFA...

Ugh... ****ing systemd... So make that "by looking up whatever long systemd command does the equivalent of 'init 3', running that, deleting its desktop autostart, looking up whatever systemd command does the equivalent of 'init 5', then running that" I suppose.

My hypothesis being, I gather that it does things which would depend on X being available, thus being in console mode would break it. I have no particular evidence for/against that, but if the thing puts itself in your desktop autostart I assume it's because it's unable to set itself up as an autostarted system service...

That said, the actual steps are the same as with any confirmed system intrusion:
(1) Confirm that system is compromised and if possible time of compromise
(2) Nuke system partitions and repave from scratch, because seriously, can you ever *really* trust this box again?
(3) Restore /home from backups... or at least mark all binary files postdating the intrusion non-executable

WTF? Just remove the stupid user mode binary and clean up .config.. What are you running Windows? There is no way that this malware is going to be in usr or opt without having a root priv install so and it cannot access or modify etc unless you installed it as root. So it is going to be in $/home without system modification privileges and is at the mercy of the delete button. If it is a user mode malware binary then any linux user can just remove the piece of shit.

What was really fun years ago was taking known windows hacks and installing them in Wine just for the hell of it to see what they did. Same thing afterwards you just dump the .wine folder and recreate it. Any linux user that installs malware to / is a nube IMO. What is a dead give away that this is a farce malware scare is the fact that there is no details given as to what and where and how the malware gets install. SO I CALL BULLSHIT on DrWeb they are obviously another bunch of snake oil wanabee Symantic clingons who are trying to milk the millions of users that are installing linux after being hosed by Win 8 and 10!

Re:So what I get from TFA...

[Raenex]

There is no way that this malware is going to be in usr or opt without having a root priv install so and it cannot access or modify etc unless you installed it as root.

People routinely install stuff with sudo, so if it's a trojan it was probably installed as root. Furthermore, privilege escalation bugs are quite common. I just did a search for: linux privilege escalation bug, and the top hit was a news item less than a day old:

http://www.darkreading.com/vul...

Tens of millions of Linux PCs and servers and 66% of all Android devices are impacted by a vulnerability in the Linux kernel that allows privilege escalation from local to root via a use-after-free attack, according to the research team at Perception Point.

Although no exploits for the bug have been seen in the wild yet, the vulnerability is far-reaching. According to Yevgeny Pats, co-founder and CEO of Perception Point, the bug affects all Linux kernels from release 3.8 and later, both 32-bit and 64-bit, operating on desktop, server, mobile, and embedded devices.

The vulnerability, CVE-2016-0728, is a reference leak in the keyrings facility, where security data like encryption keys and authentication keys are stored.

Re:So what I get from TFA...

[budgenator]

If you don't have an antivirus solution installed on your Linux PC, you can check for Linux.Ekocms by inspecting the following two folders and seeing if you find any screengrabs:
$HOME/$DATA/.mozilla/firefox/profiled
$HOME/$DATA/.dropbox/DropboxCache
Linux.Ekocms also uploads all these screenshots at regular intervals to a C&C (command and control) server via a proxy. The C&C server's IP address is hard-coded in the trojan's source code. All files are sent via an encrypted connection, so third-party reverse engineers tools would have a hard time picking up on the trojan's operations.

sudo ln -s .mozilla/firefox/profiled /dev/null; ln -s /.dropbox/DropboxCache /dev/null

there, upload that! Honestly I didn't even see the directory .mozilla/firefox/profiled on my machine.

Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body.

Yeah buddy we could have fun with that, you want data, how about a couple Gb of /dev/random!

Re:So what I get from TFA...

Most desktop users use Xorg and share the same account in order to administrating and daily use.(using su/sudo or other variant)
In such situation, any vulnerabilities are not neccesory to get the privilege.

Firstly, when the user account have infected, malware is run as its user process.
At this point, of course, malware has been restricted but it can sniff the user's input/output(like xinput).
So, when user uses sudo, malware can get the user's password and get the privilege and can do everything.

Microphone?

[cristiroma]

Despite the presence of an audio recording feature in its codebase, Dr.Web says that this functionality was never active in the trojan's normal operation.

Now I lost any hope my microphone will ever work. If even hackers have a hard time ...

Every cloud

[melonman]

Wait, so someone has found a way to make audio work reliably across Linux distros? Does this make 2016 the Year of the Linux Desktop?

Re:Every cloud

[Kardos]

> Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format. However, in fact, this feature is not used anywhere.

That's an entertaining thought but it looks like they didn't get it working at all

Re:Every cloud

yeah, it's called ALSA. Works out of the box on most Linux devices(providing there are drivers for device). Just kill spawn of hell process called pulseaudio(killall -9 pulseaudio) - enjoy working properly sound system. ;)

Re:Every cloud

sudo apt-get -y remove --purge pulseaudio pulseaudio-module-x11 pulseaudio-utils pavucontrol gstreamer0.10-pulseaudio paman pavumeter pavucontrol

sudo kill -9 `ps aux | grep -v grep | grep start-pulseaudio | awk {'print $2'}`
sudo kill -9 `ps aux | grep -v grep | grep pulseaudio | awk {'print $2'}`
sudo bash -c "rm /etc/asound.conf"

sudo apt-get -y install alsa-base alsa-tools alsa-tools-gui alsa-utils alsa-oss alsamixergui

Re:Every cloud

[StormReaver]

Wait, so someone has found a way to make audio work reliably across Linux distros?

Kubuntu audio has worked reliably since somewhere between version 9.10 and 10.04 (I'm not certain which). I think that's where Kubuntu got Pulse Audio finally installed correctly.

Does this make 2016 the Year of the Linux Desktop?

My customers (who vary in range from late 20's to early 70's) have been happily using Kubuntu desktops since the 2008 timeframe. Most reactions have included a variation of surprise that computers can work so well (once I turn off the brain damage that is desktop search).

Re:Every cloud

It installs on machines against the owners will and the audio isn't working. So, you're saying Lennart Poettering wrote it?

Re:Every cloud

[present_arms]

PCLinuxOS version of uninstall, open synaptic, enter root password (we don't use sudo) search for task-pulseaudio-remove and click apply/apply, reboot done :P seriously though this malware is crap, first only a moron installs outside of the repository, then you don't know if the deb/rpm matches the system in any way.. usually mic is muted even on a working system until needed, I could go on :D This is a none issue. Hey Ubuntu users, please get rid of sudo, it's inherently weak in the way *buntu uses it, same password for user as for root? seriously, change that shit. Alie

Re:Every cloud

[bn-7bc]

A small change
sudo kill -9 `ps aux | grep [s]tart-pulseaudio | awk {'print $2'}`
sudo kill -9 `ps aux | grep [p]ulseaudio | awk {'print $2'}`

WARNING -- In Ubuntu repo

Linux.Ekoms.1 trojan is in the latest ubuntu-system-service (also used by MINT) https://bugs.launchpad.net/ubuntu/+source/ubuntu-system-service/+bugs?field.status:list=NEW

ubuntu-system-service 0.2.5build1 all Dbus service to set various system-wide

Re:WARNING -- In Ubuntu repo

I just read the source code, it's only a mere 18KiB python package that does nothing wrong, except having a shedload of "TODO"s.
Interesting piece if anyone wants to learn a thing or two about DBus.

posting as AC to preserve mods

That's one way to get reliable audio

Well at least someone figured out how to get audio working on Linux

Re:That's one way to get reliable audio

[nnull]

Sounds like I need to install this trojan, I might be able to get my microphone working in linux finally!

Have can I trust the link in the story?

It's from an antivirus peddler and has the word "virus" in the URL, lol. Yeah, not clicking that.

does screen capture always work?

even with wayland?

Rootkits

[Bert64]

Linux rootkits have been around for many years, and there is already standard functionality for taking screenshots and recording audio built in to most linux distros.. You can just dd data from /dev/audio to a file, and you can take screenshots using xwd or import. The only difference is that most linux systems are servers or embedded so they usually don't have X11 running or any audio hardware attached.

Re:Rootkits

[Gavagai80]

The fact that there's no likely mechanism for a Linux user to acquire such a trojan is a much more important difference. On the very rare occasions I install something from outside the repositories, it'll be carefully vetted.

Re:Rootkits

Uhhh..... the trojan is in official repositories themselves.

Linux.Ekoms.1 trojan is in the latest ubuntu-system-service (also used by MINT) https://bugs.launchpad.net/ubuntu/+source/ubuntu-system-service/+bugs?field.status:list=NEW

ubuntu-system-service 0.2.5build1 all Dbus service to set various system-wide

As noted above by another poster.

"The fact that there's no likely mechanism for a Linux user to acquire such a trojan is a much more important difference"

This bullshit notion needs to die. Man can make it, man can break it. There is zero exception.

Re:Rootkits

[Bert64]

That's a bug tracker, and it makes no mention of the ekoms trojan (which i'm sure someone would have filed as a severe bug if they had found it)...
I can also find no mention of the default ubuntu or mint packages shipping with this trojan.

Although obviously you are right in refuting the parent posts's notion that there is no way for the trojan to get onto the system, it may be far less likely for malware to make its way onto a linux host but it's obviously not impossible. Linux has (and has for many years) far more presence in the server market, and linux servers do get compromised in various ways such as user incompetence (weak passwords, ssh brute force scans) or buggy code (poorly written webapps being a favorite these days). It's just that the most common infection routes are different to those prevalent on windows.

Re: And it's easy to get infected without realizin

> Yeah, because there are absolutely no vulnerabilities or privelege escalation exploits on a Linux system that can be exploited as infection vector.

You must be a bit dense, so here's for you (read *really* slowly): the point is not that there aren't Linux vulnerabilities. There are quite a few at each point in time. The point is that this one either isn't a vuln at all (they don't tell us) or if it is, it's over-inflated.

Outrageous marketing claims do far more harm than good in this sector, so it's absolutely essential that those so-called "security experts" get a good public spanking when they are caught doing this (I'd prefer the spanking to be physical, but most of my colleagues never liked my tastes, so I'll shut up).

Malware's source code

[Rik+Sweeney]

Well of course the source code is provided, no Linux user is going to install something without first knowing what it does!

Re: And it's easy to get infected without realizin

the point is not that there aren't Linux vulnerabilities.

Apparently you haven't been paying attention, because that is exactly the point. It has been repeated over and over that malware only exists on Windows and cannot exist on Linux because of Linux's inherent superiority.

Re:And it's easy to get infected without realizing

[antdude]

Nah, easier to download and install the compiled binary package. No compile stuff.

Re: And it's easy to get infected without realizi

You are literally the only one saying that here.

Re: And it's easy to get infected without realizin

> It has been repeated over and over that malware only exists on Windows

Quotation needed.

To be fair

Over the years I have met dozens of users that run as root. Even on systems such as Ubuntu they re-enable the root account for daily use. This could be an issue to users like these. They do this as they are Windows refugees and don't like being asked for their password all the time, there are tons of people that do this in Vista and up on Windows by disabling UAC as well. A system is only as secure as you (the operator) make it.

Re:To be fair

[tijgertje]

There is no cure against human stupidity

Re: And it's easy to get infected without realizi

http://it.slashdot.org/comment...

Re:And it's easy to get infected without realizing

TODO
-Ncurses support

Where can I submit a bug report?

[Lumpy]

This trojan doesnt work with pulseaudio..... well technically NOTHING works with pulseaudio.

So I want them to write and push out a patch so it will work with not just ALSA but the other 657 different audio interface API's.

Re:Where can I submit a bug report?

This trojan doesnt work with pulseaudio..... well technically NOTHING works with pulseaudio.

So I want them to write and push out a patch so it will work with not just ALSA but the other 657 different audio interface API's.

You are so smart.

Want to bum?

Re:And it's easy to get infected without realizing

[Aleksej]

And on Windows you simply download trojan.zip, unzip it and run the setup.exe. Of course, you probably just have to download and run a setup.exe, but that's the point: it does not say it's a trojan even if you have to compile it with many dependencies (which do not include libtrojan and libmalware).

Re: And it's easy to get infected without realizin

I don't think it runs on anything except a 5 year old ubuntu with default setup and you need to kill pulseaudio + make sure your microphone is alsa device 0:1 for the experimental recording function. Also try disabling compositing, if your screenshots only show the desktop background.

You might have to create the certs for the encrypted uploads manually if the system isn't getting enough entropy fast enough or the Trojan will assume that the connection timed out and go into an endless loop.

Just run the Windows version with wine until the devs get their shit together!

Re: And it's easy to get infected without realizin

Windows has a convenient feature where it will download AND run the Trojan for you.

There was a Linux kernel vulnerability announced yesterday... Ubuntu had the patch available by the time I got out of work. Phones, on the other hand are Phucked.

A new threat against Linux users?

[tetraverse]

How does this Linux.Ekoms.1 trojan get onto the computer without the end user explicitly downloading and installing it.

Re: And it's easy to get infected without realizi

Yeah, thanks for proving me right because that's not what he said either.
You should learn how to read before you start writing.

Something seems fishy

[DevConcepts]

I (maybe shockingly) actually read the page.

FTP
~
EkomsCcClient:

It generates a filtering list for the "aa*.aat", "dd*ddt", "kk*kkt", "ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the /tmp/ccXXXXXX.exe executable file from the server, saves it to the temporary folder and runs it.
~
Last time I check unless you are running Wine, ccXXXXXX.exe will not execute in linux or have my years of use clouded my judgment?

Re:Something seems fishy

[Kardos]

Where does it say that ccXXXXXX.exe is a windows binary?

You can rename linux binaries to have a .exe prefix and they still run

Re:Something seems fishy

[DevConcepts]

True but not typical for linux, that is what made me question it.

Re:Something seems fishy

[blavallee]

The maker of a serious AV for *nix (grin) wouldn't call a .exe an executable file.
Calling it an 'executable binary' named .exe would lend these fear-mongers a little more credibility.

Re:Something seems fishy

[budgenator]

It's been a while since I have even thought about this but I always understood that the file extension really didn't mean anything in linux, if the x bit was set then bash either sent it to the correct interpreter depending on the shebang or executed it depending on the correct magic number in the binary.

Re: And it's easy to get infected without realizin

[imboboage0]

I usually sit on a ton of mod points - this is +5 funny material here.

On xterm too?

[SpaghettiPattern]

On xterm too?

Old school here. I access our Unix-like systems exclusively using Cygwin terminal which emulates xterm. At home I have Mac OS and FreeBSD. The latter one is a file server which I access mostly though a terminal.

Re: And it's easy to get infected without realizin

Well maybe if you are running a debian, but for the redhats the rpm fails. I think it is a problem with dnf, cam anyone try with yum?

Re: And it's easy to get infected without realizi

[jedidiah]

This kind of information TOTALLY USELESS unless the fear mongers in question actually tell us how this thing gets on a system. That's very important because it tells us how to AVOID this stuff. That's the whole point of ANY sort of problem report even if you're just talking about an unsupported printer.

Vague accusations are of no use to anyone except trolls.

How do you defend against this? How do you fix whatever security hole it's using?

The nature of the infection vector is really the only bit of relevant information and it seems to be missing.

AES is used for the data transfer.

For those who are worried about the suboptimal performance of the trojan due to the asymmetric key encryption scheme: Apparantly, it uses AES for the encryption once it successfully obtains the symmetric key from the server. It would be great if they add support for other key distribution schemes as well.

Curing recommendations

[blavallee]

On the loaded OS, run a full scan of all disk partitions using the Dr.Web Anti-virus for Linux.

How about 'kill -9 PID'

BTW: Anyone notice it also 'downloads the /tmp/ccXXXXXX.exe executable file from the server, saves it to the temporary folder and runs it.'
Don't think drweb knows enough about *nix to even explain what it does.

Re:Curing recommendations

[beastofburdon]

You're right. This isn't an article about about a Linux virus, it is an advertisement for their shitty Linux version of their virus scanner.

GPL?

[bennebw]

Is this trojan under the GPL? If so, can somebody direct me to the git repo???

Re:And it's easy to get infected without realizing

[Gunstick]

oh, I already got infected with the ./configure step
Malware did not install as root, did not need to. Just took all my thunderbird adresses and mailed all my contacts to try this awesome software.

Re:And it's easy to get infected without realizing

[maestroX]

You need to download the Android SDK, then compile, load certificate on target and finally deploy on target.

Then, when the unsuspected owner returns from taking a piss, target is p0wned*. Enjoy!

* support up to Android 2.1 only

Re:And it's easy to get infected without realizing

I dunno man, there's a bunch of unsupported compiler options and I end up with an a.out. This is frustrating!

archer. Archer. ARCHER!

WHAT!???
.
.
.
.
*They* wrote it.

Re: And it's easy to get infected without realizin

Trouble is, wine doesn't emulate low level Windows driver stuff that trojans rely upon. Maybe trojan authors should band together and sponsor appropriate wine development?

Re: And it's easy to get infected without realizin

Holy serendipity, Batman! I took a break due to frustration with my computer to read /.. I was trying to take screenshots to make a tutorial and couldn't figure out why I was only getting the background.

Open source lolz

I knew the Linux was a joke to use

Re:Open source lolz

Your English is a joke...

Re: And it's easy to get infected without realizi

[tlhIngan]

This kind of information TOTALLY USELESS unless the fear mongers in question actually tell us how this thing gets on a system. That's very important because it tells us how to AVOID this stuff. That's the whole point of ANY sort of problem report even if you're just talking about an unsupported printer.

Vague accusations are of no use to anyone except trolls.

How do you defend against this? How do you fix whatever security hole it's using?

The nature of the infection vector is really the only bit of relevant information and it seems to be missing.

Well, it'll come in the same way any malware does - through an infection vector. For Linux, it probably comes in through commercial software piracy (yes, Linux has commercial software) via warez or cracks or keygens, or even stuff like WordPress themes that people actually pay money for.

So for Linux, as long as you stick with your distro's repos (that aren't compromised - but given these days packages are signed it'll be hard) or source code, you're fine. But start downloading commercial software for free and stuff, well...

WTF?!?

[lhowaf]

Why in the world would somebody write a trojan to build a collection of neckbeard headshots? That's just sick!

Re:WTF?!?

Well they hope to infect the laptop of the fabled Linux chick.
What are the chances ???

Re: And it's easy to get infected without realizi

[cheater512]

I don't see any mention of a securty hole at all, do you?

Likely it's a trojan that runs if you install it first (after typing in your sudo password).
That's generally how things work on Linux.

Re: And it's easy to get infected without realizi

[hawaiian717]

How do you defend against this? How do you fix whatever security hole it's using?

The answer to both of these questions is the same. Buy our (not mine personally, the people who put out this report) antimalware software.

Burn the witch!

Linux turned me into a gnute!

I got better...

Wayland?

[neuro88]

This is supposed to be a major issue with X. X lets any client read all input sent to the X server, view any window, etc. These aren't bugs in X, it's how it's designed.

Wayland doesn't allow this behavior so probably such a trojan wouldn't be possible with Wayland (outside of the audio aspect that is).