Snap-Happy Trojan Targets Linux Servers

Security researchers atDr.Web on Tuesday revealed details of the Trojan Linux.Ekoms.1, which takes screen shots and records audio to acquire sensitive and personal information, mostly from Linux servers.

Malware for Linux is becoming more diverse and includes spyware programs, ransomware and Trojans designed to carry out distributed denial-of-service attacks, according to Dr.Web. Researchers did not assess the severity of the threat once the malware infects computers.

The disclosure also did not provide details on the source of the malware or the extent of its threat to servers or desktop computers running the open source OS.

“The malware is focused on monitoring what a human user is doing, although the majority of Linux systems are servers. Therefore, they won’t be as valuable for screenshots and audio recordings to attackers,” said Ben Johnson, chief security strategist atBit9+Carbon Black.

Linux is usually a server or infrastructure component, so it is not going to be reimaged or changed as often as an individual machine, he told LinuxInsider.

“This means that even if the system does not have juicy data, it could be a very compelling hiding spot for months or years for an adversary,” Johnson said.

Sketchy Details

Little is known about the origin of Linux.Ekoms.1 or its intended goals. The malware takes screenshots and can record audio. It saves those audio recordings as an .aat file in the WAV format. However, that feature is not used anywhere, Dr.Web researchers said.

“This is a Trojan, which means it disguises itself as something else. A user may get tricked into downloading this piece of software, thinking it was for some other purpose, and subsequently his/her machine may get infected,” said Chenxi Wang, chief strategy officer atTwistlock.

The primary threat of the malware is information leak and violation of privacy, she told LinuxInsider. The goal might center on activities not yet fully implemented.

“As the malware makes recordings of the user’s every activity in screen shots and voice recording, whoever controls the malware knows every move of the user as well as the applications that run on the machine,” Wang said.

How It Works

Once the malware is launched, Linux.Ekoms.1 looks for a subfolder in the home directory containing files with specified names.

It looks for these details:



where $DATA = QStandardPaths::writableLocation(QStandardPaths::GenericDataLocation)

If it fails to find those two files, it randomly chooses a subfolder to save its own copy there using one of those two file names, according to Dr.Web researchers.

The Trojan then launches from a new location. If successful, the malicious program establishes a connection to a server. Specific addresses are hard-coded in its body.

What It Does

The Trojan takes a screenshot every 30 seconds and saves it to a temporary folder in JPEG format. If the file is not saved, the Trojan tries to save it in the BMP format. The temporary folder is sent to the server in specified intervals.

All information transmitted between the server and Linux.Ekoms.1 is encrypted. The Trojan’s body has the RSA key that is used to obtain the AES session key.

The encryption initially is performed using the public key. The decryption is executed by implementing the RSA_public_decrypt function to the received data.

The Trojan exchanges data with the server using AbNetworkMessage. The id line determines the executed action.

The Trojan launches the EkomsAutorun services. It saves the following information to the $HOME/.config/autostart/%exename%.desktop file:

[Desktop Entry]





Attacks on the Rise

All computer systems today are seeing an increase in malware. Linux systems have a higher probability of being Internet-facing servers and may have lucrative data, according to Bit9+Carbon Black’s Johnson.

“As a result, these [Linux] systems are in the cross-hairs. Furthermore, WordPress and other services might have known, publicly searchable vulnerabilities. This makes an attractive attack vector,” he said.

Linux malware is gaining momentum as businesses adopt more and more open source projects. More Internet of Things devices are built on stripped-down Linux systems, according to Twistlock’s Wang.

“This is especially true in developer-driven environments where continuous integration and continuous delivery is happening. In those environments, Linux is the primary platform for development and operations,” she said.

The growth of Linux in the cloud is also a strong contributing factor.

“Not surprisingly, increasingly more malware writers are targeting the Linux platform,” Wang said.

Linux Still Safer

Linux generally is regarded as more secure than other platforms. Even with the surge in Linux vulnerabilities, the open source platform is still more locked down than other options.

“Linux is still significantly better than Windows in terms of the volume and severity of security threats. But as long as its popularity continues to rise, especially more and more enterprises move to a developer-driven operations model, we see that Linux will follow the familiar trajectory of Windows, for which there will be many varieties of active threats,” Wang noted.

The question of how long Linux security will remain at current levels could come down to community focus. New defensive strategies may be needed.

“Generally speaking, the security community has not been primarily focused on Linux,” Johnson noted, “so there are not as many defenses against attacks.”

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.Email Jack.

1 Comment

  • Although the title is sensationalized, as usual, I think this article is pretty balanced. I like most of the malware news I read on this site. But by this time I’ve read many security alerts, malware reports and as much cyber-security news as I can get my hands on. Based on passed reads something seems suspiciously missing from this report: Original source of discovery and its current means of deployment. Its almost as if DrWeb (not Tech News) cooked up a report about a non-existent trojan to build business.

    I’ve been to DrWeb’s site and the same vacuum of information seems to be there too, unless I missed it. Does anyone know how this was discovered, where and in what program it was embedded in?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Software

LinuxInsider Channels