Rekoobe: Tux's new arch-enemy Trojan.

rekoobe is a malware newly discovered targeting systems based on Linux. His discovery came from the hand of the developers of the antivirus company Dr. Web. Rekoobe made its first appearance in October, and it took experts around two months to understand the behavior of this Trojan.

Initially, Rekoobe was developed to affect only Linux operating systems, under architectures SPARC, pbut it didn't take long to create a version that affected architectures Intel, both teams de 32-bit like machines of 64-bit, so now it also affects computers and as many other machines as servers that work with chips of this family.

Rekoobe uses a configuration file encrypted under algorithm XOR. Once the file is read, the Trojan establishes a connection with it. Command and Control (C&C) server ready to receive orders. This Trojan is quite simple, but the authors have gone to great lengths to make it difficult to detect. You can basically run only three commands: download or upload files, run commands locally, and transmit the output to the remote server. Once on the affected computer, he would dedicate himself to upload some of your files to the server, while downloading data from it to perform some actions on the affected computer. Therefore, cyber criminals are able to intervene to a small or large extent with the operation of the computer remotely.  os-wars Unfortunately, the story does not end here. Analysts also point out that this Trojan could affect other operating systems such as Android, Mac OSX y Windows.

Although many users consider Linux systems immune against malware, other threats have recently been discovered, such as Linux.Encoder.1 ransomware, which also targets computers under operating systems Linux.

The content of the article adheres to our principles of editorial ethics. To report an error click here.

21 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Alexander TorMar said

    One question, what good is the root user in these cases? Isn't a virus supposed to be an executable file that runs without the user's concentration and on GNU / Linux systems it is practically impossible for this to go through the architecture as they are made - because of the famous Root and the long password? I don't really understand, hopefully someone will explain it to me

    1.    Alejandro said

      Indeed, the architecture of GNU / Linux makes it very difficult for this type of malware to penetrate, but you must remember that security is in the users not in the systems, understand that we are the weakest part and by mistake or ignorance we can open them way.
      Using GNU / Linux does not guarantee anything in terms of security. If what you are looking for is to be safe, you must inform yourself and be cautious, just like in the real world, believe me there is no software that can protect you, only your common sense and your good habits.

      1.    Alexander TorMar said

        Thank you very much for sharing your point of view and explanation ...

    2.    paco said

      Isn't a virus supposed to be an executable file that runs without the user's consent?


      and in GNU / Linux systems it is practically impossible for this to pass through the architecture as they are made

      In any system it is impossible for that to happen because software / virus magic would need to run itself.
      Sometimes one can use the existence of a certain type of vulnerability without patching and usable but it is not the norm.

    3.    GHPO said

      I recommend that you do not store sensitive information on your computer as it is at risk of being stolen by anyone from anywhere in the world and passwords are useless.

  2.   sli said

    Long live amd for once as these are not affected

    1.    Alejandro said

      Your comment is irrelevant, it speaks of processor architectures, not brands.

    2.    Gonzalo Martinez said

      Mention Intel architecture, that is, x86, the same one that AMD uses.

  3.   Nonamed said

    It is a bit ambiguous news, without concrete data

    what is vulnerable? what program?

    what version?

    there's a solution?

    From my point of view, half news is not news

    1.    To Linux User said

      I investigated about this Trojan (For my blog) and, as for what you ask ...

      It is not a vulnerability we are talking about, it is a Trojan which can enter your operating system in different ways, such as:

      If you give Rekoobe root permissions. Or if it is installed in the directory «home» (which already has root permissions) you will have this malicious program on your PC.

      The solution can be manual. Or through antivirus, which is difficult due to Rekoobe's sophisticated behavior to prevent most antivirus detecting them.

      Or it could be through DR's antivirus. Web (which I think is paid), who already added it to their malware database, so with them you will be protected ... but for this you have to pay them -_-


      1.    Nonamed said

        thanks for the info

        Moral: never install anything that is not in the official repositories of your distro

        : )


    2.    paco said

      The news is about a Trojan, nothing is talking about a vulnerability. They are different topics and they have nothing to do with it.

  4.   HO2Gi said
    Let's find this from ransomware. Also look everywhere and everyone copied and pasted the same Rekoobe article, that is, someone to tell you how virua infects you and how to solve it.

    1.    HO2Gi said

      God correct my spelling errors XD

  5.   userarch said

    What happens by not using OPEN SOURCE; If I see the program code, there is logic that explains how malware can be installed.

  6.   userarch said

    The previous comment did not come out….
    Today more than ever I prefer GNU / linux

    1.    Alexander TorMar said

      What was the previous one? I see two comments ...

  7.   leopoldo said

    The usual: do not leave root activated; don't install anything we can find (that's what the virtual machine is for); make a backup of our system (systemback for example) and above all above all: DO NOT FALL INTO THE DARK SIDE, DO NOT INSTALL WINDOWS.

  8.   arazal said

    As far as I know, a Trojan needs to trick you into entering your credentials and then being able to run and do what it is programmed to do. In that sense, Linux would not have any infection problem because EVERYTHING that wants to run needs the administrator password, which does not happen in windows. As far as I know, this type of news serves more to discredit Linux than to publicize something

    If every Trojan or virus will actually be published (the latter as far as I know is much worse since it does not need permission but rather runs and period) from Windows, would there be news every day, but in Windows it is normal that there is viruses (which as far as I know there is no linux, malware that executes itself) and Trojans are insignificant

    By the root user account which is essential for the administrative use of Linux
    Linux leads everyone with its repositories so you do not need in the vast majority of cases to leave the system to get all the software you need
    Linux is updated at a dizzying speed, the news of the 28 rollbacks is still jumping and that the grub has already been patched and that error does not exist

    I get sick

  9.   caco222 said


    You have to see that there is a good difference between Trojan and virus

    I read a good explanation about the myth of viruses in Linux a long time ago, here is the link

    although old, I think it has validity


  10.   Jorge Cruz said

    It is always suspicious that antivirus companies are the ones that discover certain Linux malware before users have found it. In short, they will be very efficient.