Linux Trojan captures audio and takes screenshots
Security is something that is always on the minds of users these days, and that includes those who use Linux. TechWeek Europe has a disturbing article about a Linux trojan that captures audio and takes screenshots.
It remains to be seen how widespread this Trojan is among Linux users and what the exact attack vector is for it.
Steve McCaskill reports for TechWeek Europe:
Security researchers have found a new Linux Trojan capable of taking screenshots of infected systems and even recording sound.
Russian anti-virus firm Dr Web says that once the Linux.Ekoms.1 malware is launched it checks for two specific files – one related to Dropbox and another related to Firefox. If it finds neither of the files, it makes a copy of itself and launches from a new directory.
"If the launch is successful, Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body," said the company. "All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data.
"Every 30 seconds the service takes a screenshot and saves it to a temporal folder in the JPEG format with a name in the ss%d-%s.sst format, where %s is a timestamp. If the file is not saved, the Trojan tries to save it in the BMP format."
Linux redditors reacted to news of the trojan in a long thread and wondered how to avoid it:
Markhole: "As usual, attack vector isn't mentioned."
Phoenix591: "... they are calling it a trojan, which generally implies it usually has to trick its victims into running it, though it could of course be pulled in and ran through another vulnerability."
Billowingpillow: "This might be a stupid question, but is it becoming a stupid idea to use a Linux distro without anti virus?"
Fishmonger9000: "Always use a package manager if you can."
Alex: "Is there much risk of malware from that? How easy is it to add a package or social engineer a backdoor into one.
Kiddies tend to be pretty easy to social engineer and so if some high school kid makes a package it wouldn't be too hard for someone to make a "contribution" to it that contains a backdoor."
BirdDogWolf: "It depends on the repo. I trust Debian pretty thoroughly as there is a lot of work into packaging all of the repo. Something like Arch's AUR, though.... You're definitely going to be best off combing through everything yourself."
IMBJR: "The biggest risk is if the source is someone's own git repo or includes patches "to get it to work". Stuff that comes from commonly used repos, e.g. libcurl, are only likely to contain malware if the owner's security habits are shabby."
Twyllodrus: "Depending on what you use, there might still be some risk. E.g. an attacker could use DNS poisoning to have users install mangled packages from a server that is not a legitimate mirror. Package signing can help with that. However, this kind of attack is quite difficult to mount and tends to be spotted relatively quickly."
Ventomareiro: "It usually takes quite a long time to add a new package. Updates to existing packages are not tested thoroughly, so many bugs/vulnerabilities make it through. Distros usually have stable releases so they can iron those out, but still some severe vulnerabilities can stay undetected for years or even decades. Other times, the distros themselves can introduce new vulnerabilities when patching the software before packaging it. For a long time packages in Debian were compiled by the developers and then uploaded directly to the repositories, so that could also have been a possible attack vector."
TRL5: "If you are downloading a .dpkg (or equivalent) from a random website, that's just a package format that anyone can make. They are not meaningfully signed (by design), and can be just random things thrown together by random people."