Hand of thief .. Linux trojan ?

Mark_Greaves_PCNetSp · August 9, 2013, 10:18am

Hand of Thief … a Linux trojan ?

Oh dear, this is tiresome … here we go again with the “We’re all DOOMED” sensationalism …

See here:
https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/
and
http://www.theregister.co.uk/2013/08/08/linux_banking_trojan/
and
http://www.zdnet.com/linux-desktop-trojan-hand-of-thief-steals-in-7000019175/

For those wondering about the potential risk … the “email and social engineering” attack vector (according to the “sales agent” for the trojan author) suggests that you have to install this software yourself (you would first need to mark it as executable, then run with administrator privileges) … so as always, only install software from your distro’s repositories and “trusted” sources, and you are 100% safe … remember, obviously Linux isn’t immune to any malicious code you willingly install yourself from outside the usual software supply channels (your default repositories).

Like all the other sensationally reported threats, it’s my guess it’s either FUD or it’ll get precisely nowhere as it has no real attack vector.

The title of those articles should have been … “someone writes malicious code for Linux (yawn), but no new way of getting it onto your system”

From what I can see, this is of no more consequence than a script kiddy posting a malicious bash script (rm blah blah) on their blog … and no more newsworthy :

–

Toonman · August 10, 2013, 6:25am

Thanks for the info’.

On other non Linux forums Windows plebs have tried to make out that Linux has problems…just to mask their own.

system · August 10, 2013, 7:54am

It sounds serious enough to me, even if it’s not as serious a threat to a Linux system as they make it out to be the perceived threat can do as much damage to the Linux community as the trojan itself

I don’t understand why the authorities don’t track these people down and make an example of them

Graeme

Mark_Greaves_PCNetSp · August 10, 2013, 8:40am

And you’d expect anything different ? … articles like those above are designed to bring them out of the woodwork.

I mean … with titles like “Early sign of Linux becoming less secure”

How the hell has this made Linux “less secure” … now if we dropped the repository system, THEN Linux would become “less secure”.

I’ve said it before … it’s NOT impossible to author malware/viruses for Linux, the problem would be getting it into the software supply chain, and that hasn’t changed.

There’s still little point in a Linux AV, Anti-Virus only works once a threat has been identified and it’s added to the AV definitions … currently the only attack vector would be a compromised software repository, and IF that happened it would be spotted pretty quickly and REMOVED, not just patched against.

Whilst a compromised repo is not beyond the realms of possibility, neither is the compromising of the Windows update system, so no matter how you cut it there are more attack vectors in the Windows software system … in any case it’s HIGHLY unlikely it would cause mass damage as any modified software’s keys wouldn’t match so would be rejected by your package manager … so they’d also need to crack the package signing procedure and/or key stores, AFAIK this has never happened.

IIRC there was a case of compromised software making it into some repo, but was spotted because the keys didn’t match … and there was a case of someones key being cracked … but AFAIK, there’s not been a case of both in tandem that would or could have affected the security of pushed updates … and as I said, that attack vector equally applies to the Windows update system.

And the next person that says linux only has “security through obscurity”, I’m going to track down and humanely put down, they have no right to be taking up space in this world … hte malware/virus authors would make a MUCH bigger name for themselves if they managed to compromise Linux (the articles above prove this … nobody even bothers writing about Windows malware any more). and surely the worlds servers would be the biggest target, and they’re all Linux.

[EDIT]

It sounds serious enough to me, even if it's not as serious a threat to a Linux system as they make it out to be the perceived threat can do as much damage to the Linux community as the trojan itself

That’s the whole point of FUD … doesn’t have to be real, just create fear, uncertainty, and doubt … it’s the writers of articles like the ones linked above that should be tracked down, they haven’t questioned “HOW” it’s any more of a threat than a kid posting a malicious bash script on his blog, just jumped on the sensationalist bandwagon … remember, before posting the articles they had an unlimited amount of time to research its attack mechanism, but they “chose” not to, it wouldn’t have been an interesting story then would it ?

–

system · August 10, 2013, 1:04pm

Just a thought that entered my mind but I wonder if it’s just a coincidence that this Hand of Thief trojan appears on the scene only a few short weeks after the official Ubuntu forums are compromised

Mark_Greaves_PCNetSp · August 10, 2013, 1:53pm

Coincidence … I can’t see how or why they’d be connected ?

Here’s the post-mortem of the Ubuntu forum hack:
http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/

Which seems to have (after gaining access to a moderator account) worked through privilege escalation through some kind of PHP exploit of a weakness in the vBulletin forum software.

system · August 10, 2013, 3:29pm

Well my thoughts were if the authors of the Hand of Thief trojan had a complete database of Linux users and their email addresses it might account for the high price their putting on their trojan

what I’m trying to say is if you have a windows trojan/virus you want to circulate you could target a million random email addresses knowing about 90% will hit the target but if you have a Linux exploit you could only hope to hit maybe 3 or 4% on target (depending on what you believe Linux desktop usage is) , but if they supplied a database (along with the trojan) of say a million Linux users and their email addresses they could achieve a comparable target percentage as Windows and therefor account for the comparable pricetag

Mark_Greaves_PCNetSp · August 10, 2013, 4:01pm

Good point … so don’t answer unsolicited email … which I hope you don’t do in the first place, and certainly don’t install any software sent to you in an unsolicited email

I think -

a) most Linux users would be smart enough not to do that
and
b) they’re going to have to send it in a few different package formats

I still think it’s a coincidence … but I’ll be watching for any weird emails (as I always do).

Melissa · August 14, 2013, 2:45pm

They probably have no idea how Linux computers work and the package manager system- which I think is a superior method of downloading if you ask me!

pooky2483 · August 20, 2013, 6:56pm

What makes me laugh is that Window$ is ALWAYS being attacked by viruses and this guy seems to want to sign the death warrant of Linux at the sign of a new virus aimed at it, if that was the case then, Window$ would be long gone.

And as Linus is more secure in the fact of the Repo’s, the chance of a virus actually spreading and infecting thousands if not millions of Linux PC’s is very slim.