[conspire] New Trojan Spies on Linux Users by Taking Screenshots and Recording Audio

Rick Moen rick at linuxmafia.com
Thu Jan 21 00:53:19 PST 2016 

tl;dr:  It's more of the usual bullshit from an antivirus firm.


Quoting Dire Red (deirdre at deirdre.net):

> Margaret Wendell asked me to pass this along.
> 
> http://news.softpedia.com/news/new-trojan-spies-on-linux-users-by-taking-screenshots-and-recording-audio-499113.shtml

My thanks to you and Margaret.

Off-the-cuff analysis:

1.  Article reads like (as usual) a copy-and-paste notice from an
antivirus firm, in this case Dr.Web.  I say this with no intent to beat
up on reporter Catalin Cimpanu for reprinting what is (effectively) a
Dr.Web press release: Reporters are heavily dependent on whatever
sources they can get.

Point is, though, that this is another in decades' worth of
self-promoting news stories from antiviral firms.  And:


2.  Like pretty much all such stories from antiviral firms, the story
says absolutely nothing about the only _interesting_ datum:  How does
Linux.Ekocms.1 (described as a trojan) get run?  Story does not say.

To give credit where due, reporter Cimpanu does say on the final line
that Dr.Web didn't provide that information.  ('Dr.Web malware
specialists have not disclosed how this malware infects Linux
computers.')

Trojans (and worms) are _post-compromise_ codebases.  By definition,
they don't 'infect' anything.  They are not attack code.  They are
something the attacker (or automated scripts acting for attackers)
implement _after_ gaining access to a system through _other_ means.

In that sense (they don't attack, they don't 'infect'), trojans and
worms are not malware -- if by 'malware' you mean something that
compromises the security of your system.

I do my best to classify these 'ringers' in my bestiary at
http://linuxmafia.com/~rick/faq/#virus5 (though I cannot always keep up
with the largely meaningless flow of names issued by the antiviral
companies) -- in my section of that page with this subheader:

  IV. The Ringers. Post-Compromise Rootkits (Trojan, Worm) and Attack
  Tools (not malware at all):


Cimpanu's story has this as its second paragraph:

  Discovered four days ago, Linux.Ekocms is only the latest threat
  targeting Linux PCs, after the Linux.Encoder ransomware family and the
  Linux XOR DDoS malware had caused a large number of issues last autumn
  and put a dent in Linux's status as impermeable when it comes to malware
  infections.

I already had 'Linux.Encoder.1' and 'XOR' in the very long alphabetical
list of 'the ringers' -- and have just now added Linux.Ekocms.1 to it.

I should also quote what I wrote just after the long ringers list:

  Every one of those is some sort of post-attack tool; all are
  erroneously claimed on sundry anti-virus companies' sites (and
  consequently in various news articles) to be "Linux viruses". Some are
  actually "rootkits", which are kits of software to hide the intruder's
  presence from the system's owner and install "backdoor" re-entry
  mechanisms, after the intruder's broken in through other means entirely.
  Some are "worms"/"trojans" of the sort that get launched locally on the
  invaded system, by the intruder, to probe it and remote systems for
  further vulnerabilities. Some are outright attack tools of the "DDoS"
  (distributed denial of service) variety, which overwhelm a remote target
  with garbage network traffic from all directions, to render it
  temporarily non-functional or incommunicado.

  The news reporters and anti-virus companies in question should be
  ashamed of themselves: None of the above, in itself, can break into any
  remote Linux system. All must be imported manually and installed by an
  intruder who has cracked your system by other means.


As per above, the existence of a trojan called 'Linux.Ekocms.1' that
does blah-blah unpleasant things involving screengrabs and captured
audio after you run it says nothing whatsoever about Linux or any other
operating system being 'impermeable when it comes to malware
infections'.

The story is 98% meaningless babble (including all the stuff about
things the trojan is said to do).  It doesn't matter.  What matters is
just not running code you shouldn't -- and the story is utterly useless
for that.

Again, not reporter Cimpanu's fault:  The idiocy was doubtless present
in the original Dr.Web text he or she reused to create this story.



3.  As always, the background intention of these stories is to focus
attention away from the one _actually interesting_ detail (how if at all
does this code get executed).  And that is because Dr.Web wants you to 
pay for Dr.Web's 'antivirus solution'.


If you wish to not have security problems, the way to achieve that is to
pay attention to the basics of security -- not pay for 'antivirus
solutions'.


A quick search of Softpedia News items suggests that they are a rather
abysmal place for security information, e.g., I found about a dozen
stories, many by reporter Cimpanu (but some by others), seriously
claiming that items in my ringers lists are Linux security failures.

More information about the conspire mailing list