January 19, 2016

Malware for Linux becomes more and more diverse. Among them are spyware programs, ransomware, and Trojans designed to carry out DDoS attacks. Doctor Web security researchers examined yet another cybercriminals’ creation dubbed Linux.Ekoms.1. This Trojan can periodically take screenshots and download different files to a compromised machine.

Once launched, Linux.Ekoms.1 checks whether one of subfolders in the home directory contains files with specified names. If it fails to find any, it randomly chooses a subfolder to save its own copy there. Then, the Trojan is launched from new location. If successful, the malicious program establishes connection to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted.

Every 30 seconds the Trojan takes a screenshot and saves it to a temporal folder in the JPEG format. If the file is not saved, the Trojan tries to save it in the BMP format. The temporary folder is downloaded to the server in specified intervals.

One of system threads created by the Trojan generates a filtering list for the "aa*.aat", "dd*ddt", "kk*kkt", "ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the executable file from the server, saves it to the temporary folder and runs it. Moreover, the Trojan can download and save a number of other files.

Along with the ability of screenshot taking, the Trojan’s code contains a special feature to record sound and save it as the .aat file in the WAV format. However, in fact, this feature is not used anywhere. The entry for Linux.Ekoms.1 was added to the Dr.Web virus databases. Therefore, this malicious program poses no threat to our users.

More information about this Trojan