Home & Office

Linux desktop Trojan 'Hand of Thief' steals in

Desktop Linux must be growing more popular. Someone's finally created what appears to be a semi-successful Linux Trojan.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

For years, Linux desktop users had it easy.  Their Windows brothers and sisters had to deal with an unending stream of malware; but other than a handful of exploits aimed mostly at Linux servers, there were no real Linux Trojans or viruses. Oh well, all good things must come to an end.

Today's commercial malware, such as Hand of Thief, comes complete with its own logo and command & control interfaces. (Credit: EMC)

RSA, the Security Division of EMC, has reported that a "Russia-based cybercrime team has set its sights on offering a new banking Trojan targeting the Linux operating system: Hand of Thief."

This appears to be a variation on a very common theme in contemporary Windows malware: A banking Trojan.

Here the name of the game is to grab your personal login and password data with a "Form grabber" as you enter it into your bank or other online system. This information consists of your stolen credentials, the timestamp of when you visited a site, which Web sites you visited, and possibly your Web browser's cookies. Finally, all this is then passed on over the Internet to a command-and control server. From there the crooks can get to work selling your information to people who will start running up your credit-card bills.

Hand of Thief also includes a mechanism to prevent users from accessing anti-virus sites. This seems to work by manipulating Internet Domain Name System (DNS) addresses within memory rather than doing some obvious such as changing records in your hosts file.

Its developer claims "it has been tested on 15 different Linux desktop distributions, including Ubuntu, Fedora, and Debian. As for desktop environments, the malware supports 8 different environments, including Gnome and KDE." The attack specifically targets common Web browsers Firefox, Google Chrome, as well as several other that others that are often found on Linux such as Chromium, Aurora, and Ice Weasel.

At this point, some Linux users may start pooh-poohing this as yet another case of virus FUD. It's not. Hand of Thief really is out there. I should know. Someone tried to give a case of it to me earlier today.

Fortunately, as Limor Kessem, one of RSA's top cyber Intelligence experts, wrote after a conversation with the Trojan's "sales agent," Hand of Thief has no good ways of infecting Linux users. Instead, the cracker "suggested using email and social engineering as the infection vector."

Practically speaking that means you shouldn't be clicking on any strange URLs sent to you over social media or by e-mail. But, you already knew that? Right? Right!?

By the way, that wasn't a mistake when I said "sales agent." Like a lot of modern malware, Hand of Thief is designed by criminals for criminals. As Kessem wrote, "This malware is currently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates." When it goes "commercial," its "price is expected to rise to $3,000 USD (€2,250 EUR), plus a hefty $550 per major version release. "

That, by the way, is about the price that similar Windows malware kits go for in today's black market. That makes Hand of Thief, considering its small potential number of targets, quite expensive.

While Linux is still inherently more secure than Windows, it, like any other operating system, is not perfectly secure. Now, more than ever, desktop Linux users need to practice basic security if they're to be safe on the ever more dangerous Internet.

Related Stories:

Editorial standards