Feeds

'Hand of Thief' banking Trojan reaches for Linux – for only $2K

'Early sign of Linux becoming less secure,' says infosec bod

Top 5 reasons to deploy VMware with Tegile

Cybercrooks have created a banking Trojan that targets Linux users, which is been touted for sale on underground cybercrime forums for just $2,000 a pop.

The "Hand of Thief" malware is a rare example of malicious code written especially to target the open-source operating system. The digital nasty includes form-grabbers for HTTP and HTTPS sessions running on a variety of browsers as well as routines to block access to security updates or access to the websites of anti-virus vendors.

The malicious code also incorporates virtual machine detection designed to make it more difficult for security researchers to unpick its secrets.

Limor Kessem, a security researcher at RSA, reports that the Linux banking Trojan tool is on sale in underground cybercrime forums for $2,000, an introductory offer price that is likely to rise to $3,000 as new features are added.

"The current functionality includes form-grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future," Kessem writes. "At that point, the price is expected to rise to $3,000 (€2,250 EUR), plus a hefty $550 per major version release."

The Russian cybercrooks behind the Trojan claim it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian, and eight different desktop environments, including Gnome and Kde.

RSA researchers managed to obtain the malware-builder as well as the server-side source code before putting together a write-up on the capabilities of the malware.

There are millions of different strains of Windows malware, so many that most antivirus vendors have given up counting them. Cybercrooks produce so many as part of a strategy to overwhelm, or at least delay, the creation and application of security defences.

Android malware is also a growing problem, with 718,000 malicious and high risk Android apps collected by Trend Micro at the end of June.

There are a far lower number – perhaps hundreds – of malicious Mac OS X apps, and an even smaller number of nasties that affect Linux. Most of the Linux malware created so far affects servers instead of desktops, so the Hand of Thief is doubly rare.

The creation of Hand of Thief shows that cybercrooks think there's a market for tools that lift banking credentials from the boxes of Linux users, perhaps including those who use Ubuntu and the like for e-commerce transactions precisely because they correctly reason it's less at risk from malware infestation.

Windows banking Trojans such as Zeus and SpyEye are often spread using browser exploits and the like from compromised websites, running the infamous Blackhole Exploit Kit or similar. This is an effective strategy and more subtle than anything available to miscreants who fancy chancing their arm with Hand of Thief.

Kessem notes that aren’t significant exploit packs targeting Linux. Even those selling the malware admitted as much and told RSA researchers posing as potential buyers that email and social engineering was the best way available to trick open source fans into installing the malware.

The creations of Hand of Thief might be an "early sign of Linux becoming less secure as cybercrime migrates to the platform" but Kessem is still left wondering: "Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and raises the question – will the Linux Trojan have the same value as its Windows counterparts?" ®

Intelligent flash storage arrays

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Do Moan! MONSTER 6-day EMAIL OUTAGE hits Domain Monster
Customers freaked out by frightful service
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.