Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

Trojan for Linux takes screenshots

January 19, 2016

Malware for Linux becomes more and more diverse. Among them are spyware programs, ransomware, and Trojans designed to carry out DDoS attacks. Doctor Web security researchers examined yet another cybercriminals’ creation dubbed Linux.Ekoms.1. This Trojan can periodically take screenshots and download different files to a compromised machine.

Once launched, Linux.Ekoms.1 checks whether one of subfolders in the home directory contains files with specified names. If it fails to find any, it randomly chooses a subfolder to save its own copy there. Then, the Trojan is launched from new location. If successful, the malicious program establishes connection to the server whose addresses are hard-coded in its body. All information transmitted between the server and Linux.Ekoms.1 is encrypted.

Every 30 seconds the Trojan takes a screenshot and saves it to a temporal folder in the JPEG format. If the file is not saved, the Trojan tries to save it in the BMP format. The temporary folder is downloaded to the server in specified intervals.

One of system threads created by the Trojan generates a filtering list for the "aa*.aat", "dd*ddt", "kk*kkt", "ss*sst” files that are searched in the temporary location and uploads the files that match these criteria to the server. If the answer is the uninstall line, Linux.Ekoms.1 downloads the executable file from the server, saves it to the temporary folder and runs it. Moreover, the Trojan can download and save a number of other files.

Along with the ability of screenshot taking, the Trojan’s code contains a special feature to record sound and save it as the .aat file in the WAV format. However, in fact, this feature is not used anywhere. The entry for Linux.Ekoms.1 was added to the Dr.Web virus databases. Therefore, this malicious program poses no threat to our users.

More information about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040