One more Trojan for Linux


A new threat is added for linux users. The appearance of new malware for this operating system seems to be becoming more and more frequent in recent times. Now it is the turn of a new Trojan, whose detection, although recent, is already beginning to talk about how it could affect all Linux users.

The new threat is named after Linux.Ekocms.1, and was discovered a week ago once again by the Russian antivirus company Dr. Web, who had already detected some previous Trojans such as Rekoobe.

Dr. Web, on its portal, has published the discovery of the company, who have defined this malware as a family trojan spyware, capable of taking screenshots and downloading different files that could compromise the security of your computer and of course, the privacy of the user.


The Trojan is designed to take screenshots every 30 seconds, and they are stored in a temporary directory on the computer, in the format JPEG o BMP, with a name that contains the date and time of when the image was taken under the model ss% d-% s.sst, where he %s it is a time stamp. If there is an error saving the file, the Trojan will use the image format BMP.

Once launched, the Trojan analyzes the following two files

  • $ HOME / $ DATA / .mozilla / firefox / profiled
  • $ HOME / $ DATA / .dropbox / DropboxCache

If these files are not found, the Trojan is able to create its own copy named after one of these two previous files to go unnoticed within the system. Once the connection between Linux.Ekocms.1 and the server is established, Through a proxy whose address is encrypted within it, the transfer of encrypted information to the DC. 

Finally, Linux.Ekocms.1 generates a filter list for files aa * .aat, dd * .ddt, kk * .kkt, ss * .sst within the directory and upload the files to the server that match this criteria. In addition to the ability to take screenshots, the Trojan has the ability to record audio and save it with the name of aa-% d-% s.aa with the format WAV. However, Dr. Web has not detected the use of this function yet. So far no information has been known about the files "dd * .ddt", "kk * .kkt" and what data they could contain both.

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

12 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Lies said

    As false as the previous ones, antivirus companies determined that you need to buy their products are not going to say that there is no danger ... the crutch seller, before any injury, recommended amputating ....
    Do not trust these stories.

  2.   Chalo Canaria said

    Do you think it will be necessary to use an antivirus for Linux in the near future? Seeing all the threats that are emerging, I start to see it relevant

    1.    r0dr1g0 said


      I really don't think that an antivirus program is necessary in GNU / Linux, since we have the advantage that everything is a file and in order to run it needs us to voluntarily give it execution permissions. And, normally, the programs that we install in our GNU / Linux distribution are obtained from official repositories of the same distributions. Therefore, it is more difficult, but not impossible: for malicious software to run on our computer. There is also the factor of which web pages we visit, although with a little common sense, we would be covered.

      Greetings free.

      1.    Santiago said

        I think like you my friend, common sense is the most effective antivirus that exists in any operating system and in GNU / linux the permission levels help prevent any intrusion.

  3.   Gonzalo Martinez said

    I don't think there should be antivirus for linux, for the simple fact that vulnerabilities are patched almost instantly.

  4.   Iñigo Panera said

    The description of what the Trojan does is very good, but it is also very interesting that they explain what methods attackers use to distribute it and trick you into installing it.
    If you use official repositories and trusted software, I don't think you are exposed to this threat.

  5.   fernando said

    and the infection method ???
    antivirus is a job for linux and for any OS
    the best antivirus is to be aware

  6.   userarch said

    GNU / Linux and windows whatever; They are software created by human beings (virtues and / or vice, evil, vileness), of this the remarkable thing; is that GNU / linux is Open Source, it brings its source code with it; If we can interpret that code, we know what those programs or scripts do in our orenadores or other electronic equipment; if we interpret that one of those programs or scripts carry out harmful processes on our machine, underhanded or not; We delete it and analyze how it was installed and prevent it from being installed again.
    You can use the following sites to find out about those file extensions at:

  7.   userSUSE said

    The big question, how does this Trojan infect the host?
    The note is about the activities of the Trojan once it infected the host. Good but how the host was infected with this Trojan, that does not explain. If I install all my programs from official repo or from trusted sites, where does the Trojan enter?
    It would be necessary to be more serious with this type of info.


  8.   Peg Asus said

    This post is very doubtful, it does not say the method of infection, the only thing that can affect a Trojan is to put "fear" so that we install an antivirus ...

    Stop putting in these unverifiable "stories".

  9.   hifuny said

    Very good publicity is being done dr. web antivirus, it is one of the few antivirus software that is available in GNU linux, for me they are well capable of designing the structure of a virus and distributing it, why is it that it doesn't sound good at all?

  10.   Kevin Ramos said

    I mean, if it's Dr.Web advertising, do they create the virus? so that they buy the antivirus? that is if there are viruses for Linux!