Linux Trojan captures audio and takes screenshots

Linux Trojan captures audio and takes screenshots

Security is something that is always on the minds of users these days, and that includes those who use Linux. TechWeek Europe has a disturbing article about a Linux trojan that captures audio and takes screenshots.

It remains to be seen how widespread this Trojan is among Linux users and what the exact attack vector is for it.

Steve McCaskill reports for TechWeek Europe:

Security researchers have found a new Linux Trojan capable of taking screenshots of infected systems and even recording sound.

Russian anti-virus firm Dr Web says that once the Linux.Ekoms.1 malware is launched it checks for two specific files – one related to Dropbox and another related to Firefox. If it finds neither of the files, it makes a copy of itself and launches from a new directory.

“If the launch is successful, Linux.Ekoms.1 connects to the server whose addresses are hard-coded in its body,” said the company. “All information transmitted between the server and Linux.Ekoms.1 is encrypted. The encryption is initially performed using the public key; and the decryption is executed by implementing the RSA_public_decrypt function to the received data.

“Every 30 seconds the service takes a screenshot and saves it to a temporal folder in the JPEG format with a name in the ss%d-%s.sst format, where %s is a timestamp. If the file is not saved, the Trojan tries to save it in the BMP format.”

More at TechWeek Europe

Linux redditors reacted to news of the trojan in a long thread and wondered how to avoid it:

Markhole: “As usual, attack vector isn’t mentioned.”

Phoenix591: “… they are calling it a trojan, which generally implies it usually has to trick its victims into running it, though it could of course be pulled in and ran through another vulnerability.”

Billowingpillow: “This might be a stupid question, but is it becoming a stupid idea to use a Linux distro without anti virus?”

Fishmonger9000: “Always use a package manager if you can.”

Alex: “Is there much risk of malware from that? How easy is it to add a package or social engineer a backdoor into one.

Kiddies tend to be pretty easy to social engineer and so if some high school kid makes a package it wouldn’t be too hard for someone to make a “contribution” to it that contains a backdoor.”

BirdDogWolf: “It depends on the repo. I trust Debian pretty thoroughly as there is a lot of work into packaging all of the repo. Something like Arch’s AUR, though…. You’re definitely going to be best off combing through everything yourself.”

IMBJR: “The biggest risk is if the source is someone’s own git repo or includes patches “to get it to work”. Stuff that comes from commonly used repos, e.g. libcurl, are only likely to contain malware if the owner’s security habits are shabby.”

Twyllodrus: “Depending on what you use, there might still be some risk. E.g. an attacker could use DNS poisoning to have users install mangled packages from a server that is not a legitimate mirror. Package signing can help with that. However, this kind of attack is quite difficult to mount and tends to be spotted relatively quickly.”

Ventomareiro: “It usually takes quite a long time to add a new package. Updates to existing packages are not tested thoroughly, so many bugs/vulnerabilities make it through. Distros usually have stable releases so they can iron those out, but still some severe vulnerabilities can stay undetected for years or even decades. Other times, the distros themselves can introduce new vulnerabilities when patching the software before packaging it. For a long time packages in Debian were compiled by the developers and then uploaded directly to the repositories, so that could also have been a possible attack vector.”

TRL5: “If you are downloading a .dpkg (or equivalent) from a random website, that’s just a package format that anyone can make. They are not meaningfully signed (by design), and can be just random things thrown together by random people.”

More at Reddit

Linux will get MAC address scrambling

MAC address scrambling is one way to help enhance security while using mobile devices, and it’s on the way for Linux users according to a report on the Naked Security blog.

Lisa Vaas reports for Naked Security:

Apple’s iOS had it since version 8. Windows 10 has it. And pretty soon, many Linux users will be able to get it, too. It’s the ability to scramble the hardware media access control (MAC) address that each mobile device uses when setting up Wi-Fi connections.

Those MAC addresses allow mobile users to be tracked by all sorts of busybodies (and curious researchers!), be they spies, crooks, advertisers, retailers, trash bins rigged to track passersby, cops tracking stolen devices, Sophos researchers warbiking through London, felines warprowling (with bonus mouse catching!), or Sexy Cyborg out warstrolling (with high heels packing Wi-Fi hacking tools, no less!).

And it looks like the IEEE-recommended randomization of MAC addresses is going to come to the Fedora distribution of Linux. Fedora contributor and NetworkManager developer Lubomir Rintel writes on his blog that the problem is that our laptops and mobile phones’ MAC addresses are, in most cases, broadcasting wherever we go, before we even attempt a connection to a wireless network.

More at Naked Security

Wine 1.8 released

Wine has long been a useful tool for Linux users that want to run Windows programs. And now version 1.8 has been released, according to a report from Linux Journal. This version of Wine offers better support for the Windows API, among various other changes and improvements.

James Darvell reports for Linux Journal:

The Wine team members released version 1.8 of their project this week. The project has been in constant development since 1993 and reached version 1 only in 2008, so new releases are major events.

This release is good news for anyone struggling to get a Windows app to run on Linux (or OS X or BSD, etc.). Wine is a Windows compatibility suite that runs Windows programs on POSIX-compliant systems.

Wine version 1.8 supports more of the Windows API, meaning better support for apps that were unstable under previous versions. Although there’s still a long way to go for full API support, it’s a huge step in the right direction.

Wine 1.8 will be making its way into the official repos of your favorite Linux distro soon if it’s not there already. But for some users, “soon” isn’t fast enough. You can get your hands on Wine today via https://www.winehq.org/download.

More at Linux Journal

Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux.