New Linux Trojan Can Spy on Users by Taking Screenshots and Recording Audio

An anonymous reader writes: Dr.Web, a Russian antivirus maker, has detected a new threat against Linux users: the Linux.Ekoms.1 trojan. It includes functionality that allows it to take screenshots and record audio. While the screenshot activity is working just fine, Dr.Web says the trojan's audio recording feature has not been turned on, despite being included in the malware's source code. "All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data. The Trojan exchanges data with the server using AbNetworkMessage."

And it's easy to get infected without realizing it

[rossz]

Simply download the package and run these steps:

1. tar xzf trojan.tar.gz
2. cd trojan
3. ./configure
4. make
5. sudo make install

back in the old days

Linux didn't support my laptop's webcam.

Re: back in the old days

That's a common misconception about systemd: just run `systemctl stop malwared` and you'll be all sorted.

Re:And it's easy to get infected without realizing

[code_monkey_steve]

Simply download the package and run these steps:

It doesn't build with my version of libc. Is there a wiki or forum, or something?

shocked, shocked i say!

[Gravis+Zero]

Dr.Web malware specialists have not disclosed how this malware infects Linux computers.

But they are willing to sell you their Linux antivirus software.

From what I've gathered, it's written in C++, uses Qt 5.4 or higher (that's when the enumeration value QStandardPaths::GenericDataLocation was added to Qt) and it's not self-propagating.

So basically, it's a program that has to be installed on your computer... maybe from a compromised package repo server.

Re:shocked, shocked i say!

[Bert64]

Key point being "went down", rather than pose any risk to their users they decided to shut everything down until they could properly investigate the breach.
Any commercial business would want to be back up and running again as soon as possible, even if that meant cutting corners.

Re:shocked, shocked i say!

[Raenex]

Personal experience is that the applications shipped by the distro to do these tasks crash a lot, hang the desktop, fight with pulseaudio or require extensive configuration (hello ~/.alsasoundrc and 2005!)

About a month ago my Debian desktop was compromised, and I figured this out because the desktop was hung. In an attempt to recover the hang, I tried to restart Gnome Shell... and I started getting audio in a foreign language of people speaking. I freaked out, shutdown my computer, and reinstalled.

I'm generally careful about not installing fishy stuff, and I saved a copy of the hard drive after I shut it down, so if somebody wants to help see what it was I'd be willing to work with them.

Re:shocked, shocked i say!

[thegarbz]

I tried to restart Gnome Shell... and I started getting audio in a foreign language of people speaking.

You fool. We finally found someone who was able to get remote audio working on Linux and you hung up on them!

haha

[ouachiski]

Jokes on them, my headless Linux box doesn't have a microphone. I will go back to playing my xbox1 on my Samsung tv while asking Siri for game pointers...

Re:Stupid users

[greenfruitsalad]

but why did they make a new name for it? "teamviewer" is much easier to remember.

Every cloud

[melonman]

Wait, so someone has found a way to make audio work reliably across Linux distros? Does this make 2016 the Year of the Linux Desktop?

Malware's source code

[Rik+Sweeney]

Well of course the source code is provided, no Linux user is going to install something without first knowing what it does!

Re:Stupid users

[Barsteward]

as they haven't disclosed how you get infected, i see this as the usual antivirus maker ploy of trying to increase sales by scare stories with nothing to back it up.

Re:oh noes

has detected a new threat against Linux users

What, all twelve of them?

I suppose you are using a windows phone or surface rt and are puzzled as to why there are more Linux users in the world than WP OS and WInRT users combined? I give the guys at DrWeb credit for trying to make money from us skin flint Linux users. Considering the fact that Mint Linux is starting to really catch on and has more users than WP OS and Surface RT users combined and it is only one distro that has millions of users. The fact that old computers and laptops are easily made to efficiently work by the millions in a large part because of Linux, your troll is starting to wear a little thin, and many people know it.

The truth is Windows is quickly becoming irrelevant on the home desktop because of the blatantly obvious planned obsolescence built into Windows. Hell I have a 6 year old atom 512 dual core 64 mini desktop with 4 gig of ram and it runs 7 fine. But is not compatible of running Win 10 and this is by design! When 7 goes for a shit and loses support I am almost willing to bet that most hardware that has been obsoleted by Microshaft will run the latest linux kernel and destops just fine.

Same goes for my old T42 non pae laptop which still gets 4-5 hours on a nine cell. All you have to do is know which kernel to run and bingo you can even run non PAE 32 mode procs on Linux...TRY THAT with windows! Stop trying to obscure the truth and spread bullshit about linux desktop distros, they are stellar at keeping the best gear from being thrown in the garbage dump and more and more people are starting to realize the truth about how advanced and flexible linux has really become in the past 15 years or so.

So I don't blame the antivirus snake oil salesmen for trying to get on the band wagon because Windows is more secure only because most people who hose their old gear just trash it after Windows obsoletes it. The whole desktop computer industry is changing and there is starting to be a large market for Linux because of the way it can keep gear going.

Where can I submit a bug report?

[Lumpy]

This trojan doesnt work with pulseaudio..... well technically NOTHING works with pulseaudio.

So I want them to write and push out a patch so it will work with not just ALSA but the other 657 different audio interface API's.

Re:Stupid users

[Barsteward]

where on earth did i say it was a virus, dickhead? or shall i change "infected" to "deployed" to make your stupid nitpicking mind happier?

Re: And it's easy to get infected without realizin

I don't think it runs on anything except a 5 year old ubuntu with default setup and you need to kill pulseaudio + make sure your microphone is alsa device 0:1 for the experimental recording function. Also try disabling compositing, if your screenshots only show the desktop background.

You might have to create the certs for the encrypted uploads manually if the system isn't getting enough entropy fast enough or the Trojan will assume that the connection timed out and go into an endless loop.

Just run the Windows version with wine until the devs get their shit together!

Re: oh noes

[Anne+Thwacks]

Fortunately Windows PCs are not compromised until Windows is installed.

Oh, Wait ...

Re:So what I get from TFA...

[budgenator]

If you don't have an antivirus solution installed on your Linux PC, you can check for Linux.Ekocms by inspecting the following two folders and seeing if you find any screengrabs:
$HOME/$DATA/.mozilla/firefox/profiled
$HOME/$DATA/.dropbox/DropboxCache
Linux.Ekocms also uploads all these screenshots at regular intervals to a C&C (command and control) server via a proxy. The C&C server's IP address is hard-coded in the trojan's source code. All files are sent via an encrypted connection, so third-party reverse engineers tools would have a hard time picking up on the trojan's operations.

sudo ln -s .mozilla/firefox/profiled /dev/null; ln -s /.dropbox/DropboxCache /dev/null

there, upload that! Honestly I didn't even see the directory .mozilla/firefox/profiled on my machine.

Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body.

Yeah buddy we could have fun with that, you want data, how about a couple Gb of /dev/random!

Re:Stupid users

[Barsteward]

what point? he/she totally missed my point that its about anti virus maker trying to makes sales with crap information. i couldn't care if its a trojan or virus, if you can't say how it gets onto a machine, then your case for it being a problem seems very bogus. Virtually all antivirus suppliers have come up with crap scare stories to get linux users to buy their product.