Linux desktop Trojan 'Hand of Thief' steals in

Linux desktop Trojan 'Hand of Thief' steals in

Summary: Desktop Linux must be growing more popular. Someone's finally created what appears to be a semi-successful Linux Trojan.


For years, Linux desktop users had it easy.  Their Windows brothers and sisters had to deal with an unending stream of malware; but other than a handful of exploits aimed mostly at Linux servers, there were no real Linux Trojans or viruses. Oh well, all good things must come to an end.

Today's commercial malware, such as Hand of Thief, comes complete with its own logo and command & control interfaces. (Credit: EMC)

RSA, the Security Division of EMC, has reported that a "Russia-based cybercrime team has set its sights on offering a new banking Trojan targeting the Linux operating system: Hand of Thief."

This appears to be a variation on a very common theme in contemporary Windows malware: A banking Trojan.

Here the name of the game is to grab your personal login and password data with a "Form grabber" as you enter it into your bank or other online system. This information consists of your stolen credentials, the timestamp of when you visited a site, which Web sites you visited, and possibly your Web browser's cookies. Finally, all this is then passed on over the Internet to a command-and control server. From there the crooks can get to work selling your information to people who will start running up your credit-card bills.

Hand of Thief also includes a mechanism to prevent users from accessing anti-virus sites. This seems to work by manipulating Internet Domain Name System (DNS) addresses within memory rather than doing some obvious such as changing records in your hosts file.

Its developer claims "it has been tested on 15 different Linux desktop distributions, including Ubuntu, Fedora, and Debian. As for desktop environments, the malware supports 8 different environments, including Gnome and KDE." The attack specifically targets common Web browsers Firefox, Google Chrome, as well as several other that others that are often found on Linux such as Chromium, Aurora, and Ice Weasel.

At this point, some Linux users may start pooh-poohing this as yet another case of virus FUD. It's not. Hand of Thief really is out there. I should know. Someone tried to give a case of it to me earlier today.

Fortunately, as Limor Kessem, one of RSA's top cyber Intelligence experts, wrote after a conversation with the Trojan's "sales agent," Hand of Thief has no good ways of infecting Linux users. Instead, the cracker "suggested using email and social engineering as the infection vector."

Practically speaking that means you shouldn't be clicking on any strange URLs sent to you over social media or by e-mail. But, you already knew that? Right? Right!?

By the way, that wasn't a mistake when I said "sales agent." Like a lot of modern malware, Hand of Thief is designed by criminals for criminals. As Kessem wrote, "This malware is currently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates." When it goes "commercial," its "price is expected to rise to $3,000 USD (€2,250 EUR), plus a hefty $550 per major version release. "

That, by the way, is about the price that similar Windows malware kits go for in today's black market. That makes Hand of Thief, considering its small potential number of targets, quite expensive.

While Linux is still inherently more secure than Windows, it, like any other operating system, is not perfectly secure. Now, more than ever, desktop Linux users need to practice basic security if they're to be safe on the ever more dangerous Internet.

Related Stories:

Topics: Networking, Browser, Linux, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Linux desktop Trojan 'Hand of Thief' steals in

    I'll bet Loverock Davidson, toddbottom3 & Owlllllnet are standing in line so they can be first to buy a copy so they can try and stop the Linux growth here in the USA.
    Over and Out
    • I'm sure Loverock would pay double the price

      Considering what a MS fanboy he is and has always been. I think that only trolls are going to buy this to try to infect linux users lol. My Linux desktop here is alot of fun to use but I'm not careless with it thinking that I cannot get infected, even if the chance of infection is low. But who really gets viruses? I havent had any kind of Virus infection on my main Windows desktop since 2005....
      • Jimster480....I've been running Linux since Mandrake 3 and have NEVER

        had anything infect my boxes.. I've made a living cleaning my friends Windows boxes, need I say more.
        Over and Out
        • I can make the same claim about Windows.

          Never had a malware infection since the Stoned Virus back in the DOS days.
          • Same here

            Never had a Windows virus or trojan on any of my machines, safe browsing and a layered safety approach keep my machines safe, linux fandroids need to get over themselves.
          • I've never met a non-techie Windows user

            who hasn't complained of viruses.

            Sounds like Windows fans need to get over themselves.

            Also, how is that NSA backdoor in your Windows machine working for you?

            It's good to be Linux :-)
          • I'm not surprised.

            If the market share numbers were reversed you'd be saying the same thing about Linux. There is a lot of malware out there for Windows. And it's easy for an end user to succumb to it.

            Just this week I had to assist my GFs mother to remove some IE toolbars. She swears she is careful and didn't install them. Yet there they were. It was obvious she had installed some software which, as part of the install, added the toolbars. When I uninstalled the software the tool bars were gone. Ironically the software used Captcha to verify some automated tool (such as CCleaner) wasn't removing it. It is for this reason Microsoft went with the Windows Store.

            In the end there is NOTHING, ZERO, ZILCH, NADA in Linux that makes it more secure than Windows.
          • If you can't install on Linux, you just can't install.

            It doesn't matter if there's one user or 100 million users. It can't be done without authentication. The buck stops here, but not with Windows.

            As individuals, we're all pretty much geeks posting here. You can't apply your experience to common users. They could care less about 99.999% of what you think about and do to police your computer.

            They want to post on Facebook, read their email, browse sports and drink beer.

            Don't expect common users to think about web browsing protocols to prevent infections or even know what the difference is between an Atom, Intel, 4th generation, 3rd generation, 3D tri-gate technology, or ARM based computer is.

            They probably never even heard of Linux either. They just pull out their wallet for geek squad or buy another computer when things get out of control, thereby enabling Microsoft.
          • Re: Joe Smentona, If you can't install on Linux, you just can't install

            Tee Hee Joe! Yeah, it never ceases to amaze me that Windows Lusers still don't know how to partition a hard drive even though it's a 40 year old IBM spec... that's right, a forty year old *SPECIFICATION*.

            Hang out on for a while and see how many "OMG, I just wiped out my parents Quick Books and everything else" pleas for help.

            Then the Windows Luser's dilemma really start, not only is quick books gone but all of their automatically stored passwords which they don't ever bother to keep track of. Speaking of which, the number one barrier to a Windows Luser using Linux? Having to log in with a password... that's too difficult for a rank and file Windows Luser.

            Then ensues the rest of the insanity. Eternally logged into every account they have because they're too lazy to remember a password. Banking, Google, FaceBook.... whatever.

            Oh well, it really doesn't matter anymore since Little Eddy Snowden gave all the Microsoft RSA keys to Russian and China. Now Outlook, Microsoft automatic updates and whatever else trusted content including anti virus updates and even Skype are all compromised. Good luck!
            Armand Winter
          • NOTHING, ZERO, ZILCH, NADA in Linux that makes it more secure than Windows.

            Keep telling yourself that if it makes you feel better.
          • @guzz46, please refer to my reply to Joe.Sementona above ^^

            Prove it to me!
            Armand Winter
          • ye..NOTHING, ZERO, ZILCH, NADA in Linux that makes it more secure

            BS to your last statement and you know it and if you don't you should have learned it by now.

            Sorry for happened to your GF mother.

            Except maybe the users shouldn't get suckered in by all the free bee's offered to windows users.

            So who fault is that?

            Go tell the Windows world to clean up there act as much as the Linux does in its world....

            End Of Story
            Over and Out
          • Au contraire

            Not true! Start with the rigorous separation of code and data in Linux, eliminating the threat of buffer overruns.
          • nope

            Bull. You don't know what you're talking about.
            System-level folders on Linux as well as any important information are stored in root folders which require your superuser password to modify. So unless you were a dolt enough to enter your superuser password (or use it the same as another password you use on the web) somewhere that isn't embedded into the OS (which would be EXTREMELY OBVIOUS) to spot, NOTHING can modify any system files. Unlike Windows, where keyloggers (for information stealing) work by temporary modifying services in order to pick up keystrokes and where viruses can modify system directories to cause harm to the system, Linux just wouldn't allow anything like that without you entering your su password, which would be a flashing warning for anything done outside the terminal.

            Same goes for OS X too by the way - you can't make any changes whatsoever to the core OS without password entry.

            Not to mention UNIX and UNIX-like OSes also just generally have more security from the way it's handled.
          • Windows keyloggers typically use the Windows API, not mods to services

            While you make many correct assertions, I have to correct you on how Windows keyboard loggers typically work. They actually use a mechanism provided by the Windows API to inject system-wide message hooks. These hooks are implemented by mapping the hook DLL into all applicable processes. This mechanism doesn't require modification of any system services, temporary or not. Sure, there are also other mechanisms, but that is the most common - by far.
          • ..and Windows can, of course, be configured to be secure system file

            And I must also say that, of course, a properly setup Windows box does secure all system files, requiring Administrative rights to modify them. Windows can be a secure OS. Unfortunately, many users run with administrative rights, even though 'Limited Users' generally work great on the Windows desktop these days. The inverse is true for Linux, some users do run as root, compromising the security. Both OSes are inherently secure, and couldn't even exist in any enterprise or government environment if they weren't.
          • How about that NSA back door into Google?

            You wonder why Google's been so quite on this whole NSA thing, well now it's obvious.

            Google not only uses your data internally, they built a backdoor for the NSA right into their servers.

            And you wonder why so many businesses refuse to use Google?
            William Farrel
          • LOL, sorry, but your argument is pretty silly.

            Don't you want NSA to do what it does? I'm just not understanding this whole thing, I mean it's common sense. Revelations about this are nothing new, didn't you expect it to be happening all along? Do you want to stop it?

            Why do you think they are closing the embassies now? Intelligence gathering is always going to be there. Sometimes you just have to trust the government to do the right thing.

            Why would you think any large computer company is immune from it?
          • Even Bing uses Google search as proven by previous articles.

            Microsoft, unfortunately, falls victim of the worst the world has to offer for financial intelligence gathering.

            Google runs on 100% Linux and when it had issues, they were traced to employees storing data on a Windows notebook that fell victim to zero day exploits and malicious emails. Google's response, prohibit employees from doing company work on Windows computer.

            I use everything I can from Google, had Gmail since 1995 and now have 100,983 saved emails using 44% of my "Free" capacity.

            I use Google DNS, which is far superior to anything else out there, Google Calendar, Google Earth, Picasa, Google Call, Google Voice, Images, etc.

            You gotta be really suffering if you don't use Google. I can locate a single shingle on my house in Google Earth, get the GPS coordinates and repeatedly revisit the same shingle by typing in the coordinates. Google Chromebooks are poised to trounce the last frontier of Microsoft, the average desktop, with Linux. I have yet to see someone using a Win8 tablet or an MS phone. Times, they are a changing.
          • Joe...really? gmail since 1995???

            Don't be such a cheerleader that emotion overrides rational thought.