Linux “HoT” bank Trojan: Failed malware

What? Another Linux vulnerability? Nope. Other operating systems may be easy malware marks, but Linux continues to resist malware.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Initially it looked like the "Hand of Thief" (HoT) Trojan would be the first successful Linux Trojan. However, further investigation by RSA, the Security Division of EMC, reveals that the Hand of Thief is just another in a long line of so-called Linux malware that's more bark than bite.

Hand of Thief: Another failed Linux malware program. (Credit: RSA)

Indeed, the only people who will be hurt by this so-called Trojan are the cyber-criminals who paid $2,000 for this half-baked hack.

Yotam Gottesman, an RSA Senior Security Researcher, reported that the company obtained the HoT code builder and created HoT binaries. Gottesman reports that HoT has no real functionality. "Our research and analysis shows that, in reality, HoT’s grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan."

My own experiences with HoT demonstrated that while I smelled smoke, there was no fire. It is just a harmless exploit of a since-patched problem with the Chrome Web browser.

HoT's builder--the part that actually creates the virus--is a Windows program. In theory the builder would enable the botmaster to generate new variants of HoT. It created 32-bit compiled ELF (Executable and Linking Format) programs. ELF is the standard Linux binary format.

Once installed, HoT would seek to grab information from Web forms and send the results to a botnet server. As malware, however, HoT fails in the most fundamental way possible: It requires a deliberate effort by the user to install it.

On some operating systems, such as Windows, it's relatively easy to infect a system without the user being aware that anything is happening. On others, such as Android, the user must agree to install a program. With Linux, you must go out of your way to install any program. HoT has no mechanism to make that any easier for a criminal cracker.

In fact, even if you do take the time and effort to infect a Linux PC with HoT, the program still doesn't work worth a damn. RSA found that HoT often crashed with Firefox on Fedora, grabbed useless data with Chrome on Fedora, and was blocked from running at all on Ubuntu Linux.

Therefore, RSA concluded, "HoT has come to the cybercrime underground at a time when commercial Trojans are high in demand, stirring some excitement amongst criminals. Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data."

As for that critical issue of infecting Linux systems, "HoT's developer claims that he is in the final stages of implementing a Web-injections mechanism, but since the Form grabber he designed is not functional on the browsers he claims to have tested, the injections are not very likely to work either."

I'll take that a step farther. The only people who have, or ever will have, trouble with HoT are the would-be crooks who bought this hopelessly maimed malware.

Related Stories:

Editorial standards