Linux

Hand of Thief malware could be dangerous (if you install it)

Jack Wallen takes a look at the Hand of Thief trojan and what it means for the Linux community.

Hand of Thief trojan

This past week marked one of the first times I've seen the media actually present a real "warning" to Linux users. That warning was about the new “Hand of Thief” trojan that targets Linux desktop systems to steal bank account information. What this trojan does is use a form grabber to steal login credentials of those using Internet banking. The trojan captures the URL, username, password, and timestamp of when you logged in. Once the information is captured, it's sent to a control server and then sold.

The Hand of Thief trojan is rumored to work on 15 different Linux distributions (including Ubuntu, Fedora, and Debian) and attacks all common web browsers. The stolen information is currently being sold in closed cybercrime communities for $2,000.00 (USD), and that price includes free updates.

What does this mean? First and foremost, it means that Linux has grown enough to garner the attention of such malware/virus writers. That's a rather backhanded compliment, at best, but it does mean that Linux desktop growth cannot be denied. However, there's a far more serious issue here -- one of  application vetting. This applies to distributions that offer a single point of entry for application installation, such as Ubuntu Software Center, Synaptic, yum, apt-get... actually, just about any Linux distribution. The good news? Distributions like Ubuntu actually do review all packages that are submitted. So, if someone attempts to submit a package with the Hand of Thief trojan, ready to wreck havoc on unsuspecting users machines, they'll catch it and the submitted user will be reported.

But...

There are plenty of instances out there (this is especially true of Ubuntu), where you can simply add a PPA to apt-get and install an application without benefiting from the vetting process. This means that anyone can roll up an appealing software application (complete with Hand of Thief), create a repository, and trick people into installing the trojan. The caveat is that most Linux users are far more savvy than to just install random packages.

Or are they?

The Linux community has finally reached a point where caution will have to be applied. Once upon a time, I would randomly add a repository, based on a need I had, and install it with little thought to the consequences of what could happen. That time has long since passed. Now, if a package isn't found in the official repositories (or a known, safe, repository), I will not install said package. There are exceptions, of course. If I need to install a package from source, and I know the source is safe, I'll install. Outside of that, no way.

I've been using Linux for a long, long time. I never thought I'd see the day when I had to actually  warn users of trojans such as Hand of Thief, but here we are. Of course, main distributions have the means to help protect you from such attacks (SELinux, repository/package signing, firewalls, etc), but that doesn't mean you can just blindly continue on as you always have. It's time to start being a bit more vigilant about how you use your Linux desktop. Here are some suggestions:

  • Do not install unsigned packages
  • Do not add unofficial repositories without investigating said repository
  • Keep your system up to date at all times
  • Keep all browser plugins up to date
  • If your distribution has SELinux, use it
  • Do not let others install software on your machines
  • Use solid passwords
  • If asked to enter root user (or sudo) password, always know why

The good news is that Hand of Thief must have the root (or sudo) password in order to install. If you don't enter the password, it can't add itself to your machine. That's the plus side... for now. It's only a matter of time, however, before someone figures out a way to get something as sinister as HoT onto your machine without you knowing it. I've said this before, and I'll say it again, any machine that's plugged into a network connection is vulnerable -- Windows, Mac, and even Linux. 

That doesn't mean you need to unplug your machine and give up. At the moment, the only way HoT can get on a machine is either through social engineering or “SUT” (Stupid User Tricks). If you stick with your distribution's official repositories and keep your machine up to date, you should be okay. There's no need to panic, just use a bit of common sense and care.

As the Linux desktop continues to grow in popularity, so will the number of attempts to bring it down. Hand of Thief isn't the first trojan to attack Linux, and it won't be the last. But like all previous attempts at cracking through the Linux desktop security systems, unless the root/sudo password is given for installation, that trojan will have a tough time worming its way into your machine.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

10 comments
hnd-ucb
hnd-ucb

I made a small proof-of-concept root-kit for the Linux OS. The kit presents a hack wherein it uses the System.map file to bypass the write protection the OS enforces on the system call table.

the article can be referred to here: http://compsmusicandstuffs.wordpress.com/2011/06/22/bypassing-the-linux-kernel-coding-your-very-own-root-kit/

The bad thing is, even I had a rough time trying to make it work without user authentication. The Linux architecture makes it mandatory that a user authenticates before they try to load a specific kernel module.

For now, I guess Linux systems are still secure given that the user is aware about authentication while loading kernel modules and all of the general precautions that this article mentioned above.
realvarezm
realvarezm

And while the years of your existence extend inexorably to the eternity he will die and you will only have your sorrow to remember and your existence will fade forever in the long night of history. That is how i feel about this news. LOL

russoisraeli
russoisraeli

I'd add to that - if you download a package source, download it from an official site that you trust, and use the package signature file to verify that it hasn't been tampered with.

I have to admit that I've been too lazy to do this before, but I think it's time to become wiser.


pgit
pgit

Saying "use SELinux" is more than a mouthful. Akin to saying "if you need to pick up a few moon rocks build an Apollo program." ...well, maybe not that much effort, but you get the idea. 

MarcIndy2000
MarcIndy2000

Hi Jack, great article can you tell us if rkhunter or chkrootkit detector find and remove this trojan?
thanks

Marc

Jeffrey O. Brady
Jeffrey O. Brady

I read about this last week, and actually, the exploit requires a gullible user to actively open or click on something for it to gain access to their system. Similar to the exploits that are often sent as links in e-mails. So this is not quite the same as those exploits that attack vulnerabilities inherent in other OS's.

Shawn Quinn
Shawn Quinn

It has begun. I have believed for a long time that more malware would start showing up on Linux and Apple platforms as their popularity increased. So now they will need to spend 20 years adapting as Microsoft has done.

sonicsteve
sonicsteve

@MarcIndy2000 

 Definitely plus one on this request. I haven't added any repositories for a while now but I would like to know how to check for it's installation. What files does it install in what directory etc.