Open Source

Hand of Thief malware could be dangerous (if you install it)

Jack Wallen takes a look at the Hand of Thief trojan and what it means for the Linux community.

Hand of Thief trojan

This past week marked one of the first times I've seen the media actually present a real "warning" to Linux users. That warning was about the new "Hand of Thief" trojan that targets Linux desktop systems to steal bank account information. What this trojan does is use a form grabber to steal login credentials of those using Internet banking. The trojan captures the URL, username, password, and timestamp of when you logged in. Once the information is captured, it's sent to a control server and then sold.

The Hand of Thief trojan is rumored to work on 15 different Linux distributions (including Ubuntu, Fedora, and Debian) and attacks all common web browsers. The stolen information is currently being sold in closed cybercrime communities for $2,000.00 (USD), and that price includes free updates.

What does this mean? First and foremost, it means that Linux has grown enough to garner the attention of such malware/virus writers. That's a rather backhanded compliment, at best, but it does mean that Linux desktop growth cannot be denied. However, there's a far more serious issue here — one of  application vetting. This applies to distributions that offer a single point of entry for application installation, such as Ubuntu Software Center, Synaptic, yum, apt-get... actually, just about any Linux distribution. The good news? Distributions like Ubuntu actually do review all packages that are submitted. So, if someone attempts to submit a package with the Hand of Thief trojan, ready to wreck havoc on unsuspecting users machines, they'll catch it and the submitted user will be reported.


There are plenty of instances out there (this is especially true of Ubuntu), where you can simply add a PPA to apt-get and install an application without benefiting from the vetting process. This means that anyone can roll up an appealing software application (complete with Hand of Thief), create a repository, and trick people into installing the trojan. The caveat is that most Linux users are far more savvy than to just install random packages.

Or are they?

The Linux community has finally reached a point where caution will have to be applied. Once upon a time, I would randomly add a repository, based on a need I had, and install it with little thought to the consequences of what could happen. That time has long since passed. Now, if a package isn't found in the official repositories (or a known, safe, repository), I will not install said package. There are exceptions, of course. If I need to install a package from source, and I know the source is safe, I'll install. Outside of that, no way.

I've been using Linux for a long, long time. I never thought I'd see the day when I had to actually  warn users of trojans such as Hand of Thief, but here we are. Of course, main distributions have the means to help protect you from such attacks (SELinux, repository/package signing, firewalls, etc), but that doesn't mean you can just blindly continue on as you always have. It's time to start being a bit more vigilant about how you use your Linux desktop. Here are some suggestions:

  • Do not install unsigned packages
  • Do not add unofficial repositories without investigating said repository
  • Keep your system up to date at all times
  • Keep all browser plugins up to date
  • If your distribution has SELinux, use it
  • Do not let others install software on your machines
  • Use solid passwords
  • If asked to enter root user (or sudo) password, always know why

The good news is that Hand of Thief must have the root (or sudo) password in order to install. If you don't enter the password, it can't add itself to your machine. That's the plus side... for now. It's only a matter of time, however, before someone figures out a way to get something as sinister as HoT onto your machine without you knowing it. I've said this before, and I'll say it again, any machine that's plugged into a network connection is vulnerable — Windows, Mac, and even Linux. 

That doesn't mean you need to unplug your machine and give up. At the moment, the only way HoT can get on a machine is either through social engineering or "SUT" (Stupid User Tricks). If you stick with your distribution's official repositories and keep your machine up to date, you should be okay. There's no need to panic, just use a bit of common sense and care.

As the Linux desktop continues to grow in popularity, so will the number of attempts to bring it down. Hand of Thief isn't the first trojan to attack Linux, and it won't be the last. But like all previous attempts at cracking through the Linux desktop security systems, unless the root/sudo password is given for installation, that trojan will have a tough time worming its way into your machine.


Jack Wallen is an award-winning writer for TechRepublic and He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website

Editor's Picks