This article is more than 4 years old

Researchers have uncovered a new Trojan horse for Linux that takes screenshots every 30 seconds and is capable of recording sound.

The team at Russian anti-virus company Dr Web has published a blog post on the malware, which it calls Linux.Ekoms.1.

Upon installation, the malware checks for two files related to DropBox or Mozilla Firefox:

.mozilla/firefox/profiled

.dropbox/DropboxCache

If either of the files is found to be present, the Linux.Ekoms.1 Trojan makes a copy of itself using the filename, and launches itself from a new directory.

Here is where the fun begins.

After connecting to a third-party server (using an address hardcoded into its code), the malware begins secretly taking screenshots in JPEG or BMP format, uploading them to the server over an encrypted connection.

It would appear, however, that taking screenshots is not the only capability the malware has up its sleeve.

“Along with the ability of screenshot taking, the Trojan has the AbAudioCapture special class to record sound and save it with the name of aa-%d-%s.aat in the WAV format.”

Dr Web’s researchers admit, however, that the sound-capture functionality does not appear to be being used by the Trojan – perhaps indicating that side of its spying is a work in progress.

Malware is become a more frequent occurrence on machines running Linux. It’s not at all unusual to find Linux servers that have been hijacked into botnets, and recently ransomware has begun to rear its ugly head on the platform.

For instance, back in November, Dr Web discovered Linux.Encoder.1, a form of ransomware that encrypts a variety of common file extensions and demands up to four Bitcoins in exchange for the decryption key.

It wasn’t long, however, before researchers at Bitdefender spotted a flaw in the malware’s generation of the AES key, thereby allowing them to develop a free decryption key for affected users.

For those who think they might be infected by Linux.Ekoms.1, Dr Web recommends that they run a full scan of all disk partitions using Dr.Web Anti-virus for Linux.

As a general preventive measure, users should also implement software patches whenever available, maintain an up-to-date anti-virus product on their machines, and exercise caution when clicking on suspicious links found in emails.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.