14 DAY TRIAL // The Linux trojan that spied on users by taking screenshots of their desktop now has a Windows variant, as Kaspersky's security team has found out.
The trojan, first discovered by Dr.Web and named Linux.Ekocms, and later also identified by Sophos as Linux/Mokes-A, and then by Kaspersky as Backdoor.Linux.Mokes.a, has caused some stir in the Linux community because it was one of the first spyware threats detected in the wild on the platform.
However, things weren't as bad as initially thought. Mokes (we'll use this name to describe the trojan) only had the screenshooting ability enabled in the version that Dr.Web discovered.
The keylogger and the audio recording features were dormant, and Kaspersky's analysis released today confirms this.
The bad part is that the Kaspersky researchers also discovered a Windows variant of this trojan, which did have the keylogger component enabled.
The Windows version is similar to the Linux variant but more powerful
Under the hood, the trojan worked very much the same way its Linux counterpart did. It used a list of predefined folders where it would install itself, sent small heartbeat requests to its C&C server every minute, and stored recorded data locally, which it would later upload online when the C&C server requested it.
There were some modifications to the trojan's makeup, because of differences between the Linux and Windows platforms, but they were insignificant.
Besides the extra keylogging feature that made the Mokes Windows variant stand out, there was another thing, the presence of a stolen digital certificate issued by Comodo.
Mokes was using this certificate to fool the Windows OS into thinking it was a legitimate application from a known software source.
Additionally, the trojan was also coded in C++ and Qt, a cross-platform application framework that supports all three major operating systems. Theoretically, this would mean that a Mac OS X version is also feasible.
UPDATE [September 7, 2016]: Kaspersky detected a Mac version of Mokes.