Experts from Kaspersky Lab reported about discovery of “twin brother” of Linux.Ekocms trojan, the malware that had previously been found by “Doctor Web”. According to a new report, this malware now has a Windows version.
Generally, the Windows version of this Trojan works similarly to its Linux counterpart. Of course, there are certain differences in the code that reflect the differences in the operating systems, but they can not be called significant. The principle of operation remains the same in both.
There are two major differences between Windows and Linux versions: the Windows version includes a keylogger function, that is, all keystrokes are recorded and stored in the log file. Linux-version of the Trojan also used to contain this component, but it was disabled in the samples detected by experts. The second difference, which makes the Windows version even more dangerous is that the Windows malware uses stolen Comodo certificates to make the system take the trojan for a legitimate and secure application from a trusted source.
The update to the report appeared later states that the company had found one more kind of this Trojan, namely, Backdoor.Win32.Mokes.imw. This sample can boast audio recording function, which is also disabled in the Linux version.