Feeds

'Hand of Thief' banking Trojan reaches for Linux – for only $2K

'Early sign of Linux becoming less secure,' says infosec bod

Beginner's guide to SSL certificates

Cybercrooks have created a banking Trojan that targets Linux users, which is been touted for sale on underground cybercrime forums for just $2,000 a pop.

The "Hand of Thief" malware is a rare example of malicious code written especially to target the open-source operating system. The digital nasty includes form-grabbers for HTTP and HTTPS sessions running on a variety of browsers as well as routines to block access to security updates or access to the websites of anti-virus vendors.

The malicious code also incorporates virtual machine detection designed to make it more difficult for security researchers to unpick its secrets.

Limor Kessem, a security researcher at RSA, reports that the Linux banking Trojan tool is on sale in underground cybercrime forums for $2,000, an introductory offer price that is likely to rise to $3,000 as new features are added.

"The current functionality includes form-grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future," Kessem writes. "At that point, the price is expected to rise to $3,000 (€2,250 EUR), plus a hefty $550 per major version release."

The Russian cybercrooks behind the Trojan claim it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian, and eight different desktop environments, including Gnome and Kde.

RSA researchers managed to obtain the malware-builder as well as the server-side source code before putting together a write-up on the capabilities of the malware.

There are millions of different strains of Windows malware, so many that most antivirus vendors have given up counting them. Cybercrooks produce so many as part of a strategy to overwhelm, or at least delay, the creation and application of security defences.

Android malware is also a growing problem, with 718,000 malicious and high risk Android apps collected by Trend Micro at the end of June.

There are a far lower number – perhaps hundreds – of malicious Mac OS X apps, and an even smaller number of nasties that affect Linux. Most of the Linux malware created so far affects servers instead of desktops, so the Hand of Thief is doubly rare.

The creation of Hand of Thief shows that cybercrooks think there's a market for tools that lift banking credentials from the boxes of Linux users, perhaps including those who use Ubuntu and the like for e-commerce transactions precisely because they correctly reason it's less at risk from malware infestation.

Windows banking Trojans such as Zeus and SpyEye are often spread using browser exploits and the like from compromised websites, running the infamous Blackhole Exploit Kit or similar. This is an effective strategy and more subtle than anything available to miscreants who fancy chancing their arm with Hand of Thief.

Kessem notes that aren’t significant exploit packs targeting Linux. Even those selling the malware admitted as much and told RSA researchers posing as potential buyers that email and social engineering was the best way available to trick open source fans into installing the malware.

The creations of Hand of Thief might be an "early sign of Linux becoming less secure as cybercrime migrates to the platform" but Kessem is still left wondering: "Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and raises the question – will the Linux Trojan have the same value as its Windows counterparts?" ®

Internet Security Threat Report 2014

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Seattle children’s accelerates Citrix login times by 500% with cross-tier insight
Seattle Children’s is a leading research hospital with a large and growing Citrix XenDesktop deployment. See how they used ExtraHop to accelerate launch times.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?