Follow Slashdot stories on Twitter


Forgot your password?
Security Linux

New Linux Trojan Can Spy on Users by Taking Screenshots and Recording Audio ( 130

An anonymous reader writes: Dr.Web, a Russian antivirus maker, has detected a new threat against Linux users: the Linux.Ekoms.1 trojan. It includes functionality that allows it to take screenshots and record audio. While the screenshot activity is working just fine, Dr.Web says the trojan's audio recording feature has not been turned on, despite being included in the malware's source code. "All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data. The Trojan exchanges data with the server using AbNetworkMessage."
This discussion has been archived. No new comments can be posted.

New Linux Trojan Can Spy on Users by Taking Screenshots and Recording Audio

Comments Filter:
  • Simply download the package and run these steps:

    1. tar xzf trojan.tar.gz
    2. cd trojan
    3. ./configure
    4. make
    5. sudo make install

    • by code_monkey_steve ( 651206 ) on Wednesday January 20, 2016 @03:36AM (#51334401)

      Simply download the package and run these steps:

      It doesn't build with my version of libc. Is there a wiki or forum, or something?

      • by Anonymous Coward

        -Ncurses support

      • by Anonymous Coward on Wednesday January 20, 2016 @07:54AM (#51334939)

        I don't think it runs on anything except a 5 year old ubuntu with default setup and you need to kill pulseaudio + make sure your microphone is alsa device 0:1 for the experimental recording function. Also try disabling compositing, if your screenshots only show the desktop background.

        You might have to create the certs for the encrypted uploads manually if the system isn't getting enough entropy fast enough or the Trojan will assume that the connection timed out and go into an endless loop.

        Just run the Windows version with wine until the devs get their shit together!

      • You need to download the Android SDK, then compile, load certificate on target and finally deploy on target.

        Then, when the unsuspected owner returns from taking a piss, target is p0wned*. Enjoy!

        * support up to Android 2.1 only
    • by antdude ( 79039 )

      Nah, easier to download and install the compiled binary package. No compile stuff.

    • And on Windows you simply download, unzip it and run the setup.exe. Of course, you probably just have to download and run a setup.exe, but that's the point: it does not say it's a trojan even if you have to compile it with many dependencies (which do not include libtrojan and libmalware).
      • Windows has a convenient feature where it will download AND run the Trojan for you.

        There was a Linux kernel vulnerability announced yesterday... Ubuntu had the patch available by the time I got out of work. Phones, on the other hand are Phucked.

    • oh, I already got infected with the ./configure step
      Malware did not install as root, did not need to. Just took all my thunderbird adresses and mailed all my contacts to try this awesome software.

  • by Anonymous Coward on Wednesday January 20, 2016 @03:34AM (#51334397)

    Linux didn't support my laptop's webcam.

  • by Gravis Zero ( 934156 ) on Wednesday January 20, 2016 @03:51AM (#51334431)

    Dr.Web malware specialists have not disclosed how this malware infects Linux computers.

    But they are willing to sell you their Linux antivirus software.

    From what I've gathered, it's written in C++, uses Qt 5.4 or higher (that's when the enumeration value QStandardPaths::GenericDataLocation was added to Qt) and it's not self-propagating.

    So basically, it's a program that has to be installed on your computer... maybe from a compromised package repo server.

    • by Anonymous Coward

      A system cannot be compromised from a hacked repo. The packages are signed.

      • by Anonymous Coward

        It makes little difference. Look how long Debian went down after a single dev account was compromised. The system is only as secure as its weakest element.

        • by Bert64 ( 520050 ) <bert&slashdot,firenzee,com> on Wednesday January 20, 2016 @05:23AM (#51334593) Homepage

          Key point being "went down", rather than pose any risk to their users they decided to shut everything down until they could properly investigate the breach.
          Any commercial business would want to be back up and running again as soon as possible, even if that meant cutting corners.

        • by arth1 ( 260657 )

          It makes little difference. Look how long Debian went down after a single dev account was compromised. The system is only as secure as its weakest element.

          Almost always, the weakest point in any computer chain is a human.

          A signed package management system adds security if you can
          a) verify that the signer is who he says he is, and not merely someone who has obtained a signing key, and
          b) can be trusted, and
          c) isn't a rubberstamper.

          in reality, people go "oh, signed, cool!", and don't think about it. If there are ten admins working for a repo, and a couple of sysadmins, and an unknown number of past workers who may or may not hold grudges, do you really want to

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      And this is why these companies use scary announcements. Most people will not understand it's a non-event. They just see the headline and panic. The media also are unskilled (that's why they're reporters and not real developers or engineers). But they know roughly what keywords mean and try to create tech-articles based on anything that'll draw in clicks, or fuel forum/comment rage. You'll find the same issue in every field. My wife is always showing similar crap regarding medical scares.

    • Hey look, I discovered a Linux trojan that insults your mom over and over! Here is the secret source code, never revealed until now:

      while [ true ]; do echo 'Your mom is fat!'; done

      For $20 btc I can sell you the secret to removing it from your system. Wallet 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy I'll surely send you the info.

  • haha (Score:4, Funny)

    by ouachiski ( 835136 ) on Wednesday January 20, 2016 @03:55AM (#51334437)

    Jokes on them, my headless Linux box doesn't have a microphone. I will go back to playing my xbox1 on my Samsung tv while asking Siri for game pointers...

  • Despite the presence of an audio recording feature in its codebase, Dr.Web says that this functionality was never active in the trojan's normal operation.

    Now I lost any hope my microphone will ever work. If even hackers have a hard time ...

  • Every cloud (Score:5, Funny)

    by melonman ( 608440 ) on Wednesday January 20, 2016 @04:27AM (#51334503) Journal

    Wait, so someone has found a way to make audio work reliably across Linux distros? Does this make 2016 the Year of the Linux Desktop?

    • by Kardos ( 1348077 )

      > Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format. However, in fact, this feature is not used anywhere.

      That's an entertaining thought but it looks like they didn't get it working at all

    • Wait, so someone has found a way to make audio work reliably across Linux distros?

      Kubuntu audio has worked reliably since somewhere between version 9.10 and 10.04 (I'm not certain which). I think that's where Kubuntu got Pulse Audio finally installed correctly.

      Does this make 2016 the Year of the Linux Desktop?

      My customers (who vary in range from late 20's to early 70's) have been happily using Kubuntu desktops since the 2008 timeframe. Most reactions have included a variation of surprise that computers can work so well (once I turn off the brain damage that is desktop search).

  • Linux rootkits have been around for many years, and there is already standard functionality for taking screenshots and recording audio built in to most linux distros.. You can just dd data from /dev/audio to a file, and you can take screenshots using xwd or import. The only difference is that most linux systems are servers or embedded so they usually don't have X11 running or any audio hardware attached.

    • The fact that there's no likely mechanism for a Linux user to acquire such a trojan is a much more important difference. On the very rare occasions I install something from outside the repositories, it'll be carefully vetted.

  • by Rik Sweeney ( 471717 ) on Wednesday January 20, 2016 @05:55AM (#51334665) Homepage

    Well of course the source code is provided, no Linux user is going to install something without first knowing what it does!

  • by Lumpy ( 12016 ) on Wednesday January 20, 2016 @07:35AM (#51334893) Homepage

    This trojan doesnt work with pulseaudio..... well technically NOTHING works with pulseaudio.

    So I want them to write and push out a patch so it will work with not just ALSA but the other 657 different audio interface API's.

  • How does this Linux.Ekoms.1 trojan get onto the computer without the end user explicitly downloading and installing it.
  • I (maybe shockingly) actually read the page.


    It generates a filtering list for the "aa*.aat", "dd*ddt", "kk*kkt", "ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the /tmp/ccXXXXXX.exe executable file from the server, saves it to the temporary folder and runs it.
    Last time I check unless you are running Wine, ccXXXXXX.exe will not execute in linux or ha

    • by Kardos ( 1348077 )

      Where does it say that ccXXXXXX.exe is a windows binary?

      You can rename linux binaries to have a .exe prefix and they still run

      • True but not typical for linux, that is what made me question it.

      • The maker of a serious AV for *nix (grin) wouldn't call a .exe an executable file.
        Calling it an 'executable binary' named .exe would lend these fear-mongers a little more credibility.
    • It's been a while since I have even thought about this but I always understood that the file extension really didn't mean anything in linux, if the x bit was set then bash either sent it to the correct interpreter depending on the shebang or executed it depending on the correct magic number in the binary.

  • On xterm too?

    Old school here. I access our Unix-like systems exclusively using Cygwin terminal which emulates xterm. At home I have Mac OS and FreeBSD. The latter one is a file server which I access mostly though a terminal.

  • On the loaded OS, run a full scan of all disk partitions using the Dr.Web Anti-virus for Linux.

    How about 'kill -9 PID'

    BTW: Anyone notice it also 'downloads the /tmp/ccXXXXXX.exe executable file from the server, saves it to the temporary folder and runs it.'
    Don't think drweb knows enough about *nix to even explain what it does.
    • You're right. This isn't an article about about a Linux virus, it is an advertisement for their shitty Linux version of their virus scanner.
  • Is this trojan under the GPL? If so, can somebody direct me to the git repo???
  • Why in the world would somebody write a trojan to build a collection of neckbeard headshots? That's just sick!
  • This is supposed to be a major issue with X. X lets any client read all input sent to the X server, view any window, etc. These aren't bugs in X, it's how it's designed.

    Wayland doesn't allow this behavior so probably such a trojan wouldn't be possible with Wayland (outside of the audio aspect that is).

The other line moves faster.