New Linux Trojan Can Spy on Users by Taking Screenshots and Recording Audio

An anonymous reader writes: Dr.Web, a Russian antivirus maker, has detected a new threat against Linux users: the Linux.Ekoms.1 trojan. It includes functionality that allows it to take screenshots and record audio. While the screenshot activity is working just fine, Dr.Web says the trojan's audio recording feature has not been turned on, despite being included in the malware's source code. "All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data. The Trojan exchanges data with the server using AbNetworkMessage."

back in the old days

Linux didn't support my laptop's webcam.

Re:And it's easy to get infected without realizing

[code_monkey_steve]

Simply download the package and run these steps:

It doesn't build with my version of libc. Is there a wiki or forum, or something?

shocked, shocked i say!

[Gravis+Zero]

Dr.Web malware specialists have not disclosed how this malware infects Linux computers.

But they are willing to sell you their Linux antivirus software.

From what I've gathered, it's written in C++, uses Qt 5.4 or higher (that's when the enumeration value QStandardPaths::GenericDataLocation was added to Qt) and it's not self-propagating.

So basically, it's a program that has to be installed on your computer... maybe from a compromised package repo server.

Re:shocked, shocked i say!

[Raenex]

Personal experience is that the applications shipped by the distro to do these tasks crash a lot, hang the desktop, fight with pulseaudio or require extensive configuration (hello ~/.alsasoundrc and 2005!)

About a month ago my Debian desktop was compromised, and I figured this out because the desktop was hung. In an attempt to recover the hang, I tried to restart Gnome Shell... and I started getting audio in a foreign language of people speaking. I freaked out, shutdown my computer, and reinstalled.

I'm generally careful about not installing fishy stuff, and I saved a copy of the hard drive after I shut it down, so if somebody wants to help see what it was I'd be willing to work with them.

Every cloud

[melonman]

Wait, so someone has found a way to make audio work reliably across Linux distros? Does this make 2016 the Year of the Linux Desktop?

Re: And it's easy to get infected without realizin

I don't think it runs on anything except a 5 year old ubuntu with default setup and you need to kill pulseaudio + make sure your microphone is alsa device 0:1 for the experimental recording function. Also try disabling compositing, if your screenshots only show the desktop background.

You might have to create the certs for the encrypted uploads manually if the system isn't getting enough entropy fast enough or the Trojan will assume that the connection timed out and go into an endless loop.

Just run the Windows version with wine until the devs get their shit together!