Linux Trojan Takes Screenshots And Captures Audio

Security researchers have found a new Linux Trojan capable of taking screenshots of infected systems and even recording sound.

Russian anti-virus firm Dr Web says that once the  ‘Linux.Ekoms.1’ malware is launched it checks for two specific files – one related to Dropbox and another related to Firefox. If it finds neither of the files, it makes a copy of itself and launches from a new directory.

“If the launch is successful, Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body,” said the company. “All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data.

Linux Trojan

“Every 30 seconds the service takes a screenshot and saves it to a temporal folder in the JPEG format with a name in the ss%d-%s.sst format, where %s is a timestamp. If the file is not saved, the Trojan tries to save it in the BMP format.”

The ability to take screenshots could allow malicious attackers to steal sensitive corporate information and pose privacy risks to consumers. The Trojan is also capable of audio capture, but the researchers said they had seen no evidence of this action being taken.

“Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format. However, in fact, this feature is not used anywhere,” they said.

Jim Zemlin, executive director of the Linux Foundation, has said that security issues are threating a “global age of open source”. The Foundation is spearheading a number of initiatives to improve matters following the discovery of the Heartbleed, Poodle and Shellshock vulnerabilities, with financial support from major names in the technology industry.

However, experts say malware is becoming an increasing problem for Linux users.

“Malware is become a more frequent occurrence on machines running Linux,” said security expert Graham Cluely. “It’s not at all unusual to find Linux servers that have been hijacked into botnets, and recently ransomware has begun to rear its ugly head on the platform.”