a) antivirus works on known viruses
b) anti-trojan tools work on known trojans

Before anything is developed, we need to know what does and what. Running tasks are shown via "ps" command. TCP/IP is dumped via several tools, one being above mentioned tcpdump.

c) the nature of Linux architecture makes this quite an undertaking, as keyboard access isn't registered, like in Windows, in order to deny it. I don't think it's even protected. I don't pretend to be an expert, but if "cat" has access to it, anyone has. Also, it doesn't need to be a running process. Viruses and trojans that have their own process aren't worthy of the name. They're all nuissanceware.

d) all programs submitted to repos (AFAICT) are compiled server-side with open components. There is little need to grow an anti-something when code can simply be removed.

e) all we have now (no offense) is anecdotal evidence. When we see some code we'll have a better understanding of what happens and why. Once we see how that data is leaking, we'll have something to grep the sources for.