Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Linux Trojan takes screenshots of desktop and records audio


  • Please log in to reply
4 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,841 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:05:26 AM

Posted 19 January 2016 - 04:34 PM

 

New Linux Trojan Takes Screenshots Every 30 Seconds And Records Audio

Russian antivirus company Doctor Web has detected a new threat against Linux users that seems to be designed to help cybercriminals spy on users. The Linux.Ekocms.1 trojan includes special features that allows it to take screenshots and record audio.

The malware discovered four days ago is part of the spyware family and is designed to take a screenshot of the user’s desktop every 30 seconds. It then saves them to a temporary folder in the JPEG format using the extension .sst. If the screenshot cannot be saved as a JPEG, Ekocms attempts to save it in the BMP image format.

In most cases, screenshot files are always saved to the same two folders, but if the folders don’t exist, the trojan will create its own when needed.

An examination of the Trojan disclosed that its developers are also working on a feature designed to record audio and save the recording in WAV format in a file with the .aat extension in the same temporary folder. It is not active in the Ekocms variant studied by Dr. Web, even though the sound recording feature exists.

The malware is designed to periodically search its temporary folder for files with certain names and extensions. It searches for .aat and .sst files, which are actually to store screenshots and audio recordings, and also for .ddt and .kkt files, which recommends the malware authors might be aiming at other type of content as well.

If you don’t have an antivirus solution installed on your Linux PC, you can check for Linux.Ekocms by inspecting the following two folders and seeing if you find any screengrabs:

– $HOME/$DATA/.mozilla/firefox/profiled

– $HOME/$DATA/.dropbox/DropboxCache

http://www.techworm.net/2016/01/new-linux-trojan-takes-screenshots-desktop-records-audio.html



BC AdBot (Login to Remove)

 


#2 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:02:26 PM

Posted 19 January 2016 - 05:32 PM

Ok, so $HOME is typically defined by all the shells, $DATA?  That's a non standard one;  perhaps some of the desktop environments like Gnome/KDE/Unity and any derivatives set it.

Simple enough to check.  


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#3 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 19 January 2016 - 06:01 PM

And the most important thing is once again missing...  :rolleyes:

Dr.Web malware specialists have not disclosed how this malware infects Linux computers.

Source: Softpedia

 

Greets!



#4 Gary R

Gary R

    MRU Admin


  • Malware Response Team
  • 917 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 20 January 2016 - 04:25 AM

And the most important thing is once again missing...  :rolleyes:

Dr.Web malware specialists have not disclosed how this malware infects Linux computers.

Source: Softpedia

 

Greets!

 

Yes Dr Web, if you're going to issue warnings, then the very least you need to do is give enough information for people to assess their risk, and/or to mitigate their exposure.

 

Their article does neither.



#5 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:06:26 PM

Posted 20 January 2016 - 06:24 AM

"uploaded to a hardcoded ip...."  Geez, if that was a single IP or a range one could block outgoing traffic to it.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users