Feeds

'Hand of Thief' banking Trojan reaches for Linux – for only $2K

'Early sign of Linux becoming less secure,' says infosec bod

Providing a secure and efficient Helpdesk

Cybercrooks have created a banking Trojan that targets Linux users, which is been touted for sale on underground cybercrime forums for just $2,000 a pop.

The "Hand of Thief" malware is a rare example of malicious code written especially to target the open-source operating system. The digital nasty includes form-grabbers for HTTP and HTTPS sessions running on a variety of browsers as well as routines to block access to security updates or access to the websites of anti-virus vendors.

The malicious code also incorporates virtual machine detection designed to make it more difficult for security researchers to unpick its secrets.

Limor Kessem, a security researcher at RSA, reports that the Linux banking Trojan tool is on sale in underground cybercrime forums for $2,000, an introductory offer price that is likely to rise to $3,000 as new features are added.

"The current functionality includes form-grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future," Kessem writes. "At that point, the price is expected to rise to $3,000 (€2,250 EUR), plus a hefty $550 per major version release."

The Russian cybercrooks behind the Trojan claim it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian, and eight different desktop environments, including Gnome and Kde.

RSA researchers managed to obtain the malware-builder as well as the server-side source code before putting together a write-up on the capabilities of the malware.

There are millions of different strains of Windows malware, so many that most antivirus vendors have given up counting them. Cybercrooks produce so many as part of a strategy to overwhelm, or at least delay, the creation and application of security defences.

Android malware is also a growing problem, with 718,000 malicious and high risk Android apps collected by Trend Micro at the end of June.

There are a far lower number – perhaps hundreds – of malicious Mac OS X apps, and an even smaller number of nasties that affect Linux. Most of the Linux malware created so far affects servers instead of desktops, so the Hand of Thief is doubly rare.

The creation of Hand of Thief shows that cybercrooks think there's a market for tools that lift banking credentials from the boxes of Linux users, perhaps including those who use Ubuntu and the like for e-commerce transactions precisely because they correctly reason it's less at risk from malware infestation.

Windows banking Trojans such as Zeus and SpyEye are often spread using browser exploits and the like from compromised websites, running the infamous Blackhole Exploit Kit or similar. This is an effective strategy and more subtle than anything available to miscreants who fancy chancing their arm with Hand of Thief.

Kessem notes that aren’t significant exploit packs targeting Linux. Even those selling the malware admitted as much and told RSA researchers posing as potential buyers that email and social engineering was the best way available to trick open source fans into installing the malware.

The creations of Hand of Thief might be an "early sign of Linux becoming less secure as cybercrime migrates to the platform" but Kessem is still left wondering: "Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and raises the question – will the Linux Trojan have the same value as its Windows counterparts?" ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.