Feeds

'Hand of Thief' banking Trojan reaches for Linux – for only $2K

'Early sign of Linux becoming less secure,' says infosec bod

Boost IT visibility and business value

Cybercrooks have created a banking Trojan that targets Linux users, which is been touted for sale on underground cybercrime forums for just $2,000 a pop.

The "Hand of Thief" malware is a rare example of malicious code written especially to target the open-source operating system. The digital nasty includes form-grabbers for HTTP and HTTPS sessions running on a variety of browsers as well as routines to block access to security updates or access to the websites of anti-virus vendors.

The malicious code also incorporates virtual machine detection designed to make it more difficult for security researchers to unpick its secrets.

Limor Kessem, a security researcher at RSA, reports that the Linux banking Trojan tool is on sale in underground cybercrime forums for $2,000, an introductory offer price that is likely to rise to $3,000 as new features are added.

"The current functionality includes form-grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future," Kessem writes. "At that point, the price is expected to rise to $3,000 (€2,250 EUR), plus a hefty $550 per major version release."

The Russian cybercrooks behind the Trojan claim it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian, and eight different desktop environments, including Gnome and Kde.

RSA researchers managed to obtain the malware-builder as well as the server-side source code before putting together a write-up on the capabilities of the malware.

There are millions of different strains of Windows malware, so many that most antivirus vendors have given up counting them. Cybercrooks produce so many as part of a strategy to overwhelm, or at least delay, the creation and application of security defences.

Android malware is also a growing problem, with 718,000 malicious and high risk Android apps collected by Trend Micro at the end of June.

There are a far lower number – perhaps hundreds – of malicious Mac OS X apps, and an even smaller number of nasties that affect Linux. Most of the Linux malware created so far affects servers instead of desktops, so the Hand of Thief is doubly rare.

The creation of Hand of Thief shows that cybercrooks think there's a market for tools that lift banking credentials from the boxes of Linux users, perhaps including those who use Ubuntu and the like for e-commerce transactions precisely because they correctly reason it's less at risk from malware infestation.

Windows banking Trojans such as Zeus and SpyEye are often spread using browser exploits and the like from compromised websites, running the infamous Blackhole Exploit Kit or similar. This is an effective strategy and more subtle than anything available to miscreants who fancy chancing their arm with Hand of Thief.

Kessem notes that aren’t significant exploit packs targeting Linux. Even those selling the malware admitted as much and told RSA researchers posing as potential buyers that email and social engineering was the best way available to trick open source fans into installing the malware.

The creations of Hand of Thief might be an "early sign of Linux becoming less secure as cybercrime migrates to the platform" but Kessem is still left wondering: "Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and raises the question – will the Linux Trojan have the same value as its Windows counterparts?" ®

5 things you didn’t know about cloud backup

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.