New Linux Malware Records Audio, Captures Screenshots

New Android malware can steal your money
January 27, 2016
BlackEnergy malware deployed using malicious Word docs
January 29, 2016

The latest malicious program attacking Linux computers is the Linux.Ekocms.1 that Russian anti-virus vendor Dr. Web discovered last weekend. The program comes after two others the Linux XOR DDoS malicious software and the ransomware Linux.Encoder. Both those malware caused numerous problems for Linux PCs previous autumn; as a result, the device was considered resistant to malware contaminations.

The current Linux.Ekocms.1 has certain specific characteristics which let it capture screenshots as well as record audio. The Trojan found exudes spyware features while grabs screenshots at each interval of 30 seconds. The screengrabs are of the desktop that the infected user works on. Linux.Ekocms.1 subsequently saves the screengrabs onto one temporary folder as JPEG files with .sst as the extension. 

The saved JPEG files are each given a filename which also shows the time of the screengrabs. In case JPEG files can’t be formed Ekocms saves the screengrabs as BPM picture files. Softpedia posted this in news on January 19, 2016.

Ekocms from time to time scans temporary folders to find if they have files having specific extensions and names. For instance, it scans for .sst and .aat files that in reality are used for saving audio recordings and screenshots. In addition, it hunts for .kkt and .ddt files as well.

The Trojan on further scrutiny showed that it was being developed for recording sound while storing that recording inside the earlier mentioned temporary folder as a WAV file having an .aat extension. Incidentally, when Dr. Web studied Ekocms the audio recording characteristic wasn’t active in the particular variant. 

Linux.Ekocms.1 after taking the screenshots also uploads them at routine time-breaks onto its command-and-control (CnC) server through the channel of a proxy. Internet Protocol address of the server exists inside the malicious program’s source code in a hard-coded form. The files uploaded get transmitted in an encrypted manner, thereby making it difficult for detecting the Trojan’s activities.

Significantly, as Linux.Ekocms.1 now stands, it runs as a strong reconnaissance tool, letting its controllers perceive how the tools which any end-user of Linux machine employs work along with what websites such end-users access, every day.

Source –


Request Demo