Feeds

back to article 'Hand of Thief' banking Trojan reaches for Linux – for only $2K

Cybercrooks have created a banking Trojan that targets Linux users, which is been touted for sale on underground cybercrime forums for just $2,000 a pop. The "Hand of Thief" malware is a rare example of malicious code written especially to target the open-source operating system. The digital nasty includes form-grabbers for HTTP …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

will the Linux Trojan have the same value as its Windows counterparts?

Given that the dacoits behind it seem to have provided a surefire way to avoid it - viz; run in a virtual machine - it can't be *that* valuable.

2
0
Devil

Re: will the Linux Trojan have the same value as its Windows counterparts?

Or even just install the vboxaddons package, say, on your physical machine, and it'll probably think it's a virtual machine anyway!

0
0
Anonymous Coward

Ant still

'Android malware is also a growing problem, with 718,000 malicious and high risk Android apps collected by Trend Micro at the end of June.'

And still they flock to buy the phones.... Baaaaa Baaaaaa Baaaaaaaaaaaaaa.

2
17
Anonymous Coward

Re: will the Linux Trojan have the same value as its Windows counterparts?

"early sign of Linux becoming less secure as cybercrime migrates to the platform"

Linux has always been horrifically insecure. What they mean is that someone finally bothered to write some malware to target the tiny ~1% market share that it commands on the desktop...

0
12
Bronze badge
Thumb Down

Re: will the Linux Trojan have the same value as its Windows counterparts?

I can't agree with that, the only issues I have ever had has been due to other programs running on the OS (Where by the program is not used how I would expect) or me being a plank when configuring something (I can equally configure something wrong on Windows like a plank as well). I think at least some examples should be provided to back your statement.

2
0

Re: will the Linux Trojan have the same value as its Windows counterparts?

"Linux has always been horrifically insecure."

Please explain how.

Thanks ;)

5
0
Silver badge

@Captain Scarlet

I've never concurred with the opinion that Linux was inherently safer than Windows in the sense of "you don't have to worry about it" which is too frequently the context in which the statement is used. It is in the sense that if you are security aware you CAN lock it down.

I'd also quibble over whether it is moving toward being less secure. Historically it has also been more secure in its default configuration. In the sense that the default configurations are becoming less secure it is true, but the ability to lock it down properly is still there. Also Windows has been asymptotically approaching Linux security in its ability to be locked down, but does look like it will always be asymptotically approaching approaching it.

Ultimately the security of any system rests in the hands of the people who administer them. Which can be a really scary thought in the consumer market.

1
0
Anonymous Coward

Re: will the Linux Trojan have the same value as its Windows counterparts?

"Please explain how."

Here are a few:

Extreme levels of vulnerabilities - well over 900 in the kernel alone.

Weak security model - no proper ACLs without using 'experimental' NFS 4.1 filesystem.

No constrained delegation - Reliance on weak security tools that must run with root privileges like SUDO.

Weak control model - hacks like SEL are required to provide control and lockdown.

If you look at a market where Linux is actually used like Webservers, you are much more likely to be hacked running Linux than Windows server.

0
6
Silver badge
Thumb Down

Re: will the Linux Trojan have the same value as its Windows counterparts?

> Extreme levels of vulnerabilities - well over 900 in the kernel alone.

I would like to see that.

Actually, if there are "900 vulnerabilities", there must have been a monster QA effort top actually find them in the first place. Hmmm...

> no proper ACLs without using 'experimental' NFS 4.1 filesystem.

What has NFS got to do with anything? Are you using NFS and pretending at security? Retarded much?

> No constrained delegation - Reliance on weak security tools that must run with root privileges like SUDO.

Never been a problem. Are you letting your users run wild on the machine? Are your stupid?

> Weak control model - hacks like SEL are required to provide control and lockdown.

About as much a "hack" as this. Anything else?

> If you look at a market where Linux is actually used like Webservers, you are much more likely to be hacked running Linux than Windows server.

Reality says no.

5
0
Coat

Re: will the Linux Trojan have the same value as its Windows counterparts?

So that's fine then, because nobody will pay that much money for the totally pointless chance to get at an insignificant minority of hobbyists, then ;)

0
0
Silver badge
Windows

Good. Good! Now unleash your fury, young VXer!

We need the defenses tested.

We don't want Linux to be like the Death Star, where a missing mosquito net on a lousy vent caused total station loss.

9
2

Problem with this idea...

Most trojans rely on stupid users installing crap and clicking through permissions and warnings. If you're working in a GUI the steps are almost the same in Linux and Windows, whatever the fanboys of both sides want to say about it. Multiple zero days to get through all the various restrictions of the web browser and the OS kernel is a pretty rare attack indeed. It happens through public services more readily, but those aren't used by end users for purposes a banking trojan would care about.

The problem with this idea is pretty simple. If someone has bothered to install Linux, what are the odds they're going to blindly allow your trojan to install itself and execute? Double that since the culture of Linux isn't like Windows users who go online to find software anywhere, a Linux user is normally looking in their own repository or rolling packages from source.

18
1
Devil

Re: Problem with this idea...

Quite right. Basic Safe Surfing practice means you avoid the vast majority of malware. (I personally advise against antivirus software. It is more trouble than it's worth and tends to lull users into a false sense of security)

Mind you, there is a lot of malware that can get in via javascript exploits in browsers, and there are quite a few privelege escalation exploits running around.

Javascript remote code execution exploit + privelege escalation + rootkit = one pwned box, with no permission boxes to click through.

The most effective defence per unit of user inconvenience, IMO, is to turn off javascript by default (only for selected domains), using something like NoScript (or NotScripts in Chrome). It has an added bonus of blocking almost all adverts and invasive trackers, whilst leaving non-intrusive HTML-only adverts alone.

3
0
Silver badge

Re: Problem with this idea...

I downloaded a file called See-Nekid-Wimmin.deb and clicked on it and it seemed to install. It doesn't do anything when I run it so I suppose I need one of those obscure library packages to be installed as well.

3
1

Re: Problem with this idea...

We get a lot of comments on El Reg saying "I installed Linux for my Mum and she loves it." So presumably there are some naive end users.

2
0
JDX
Gold badge

Re: Problem with this idea...

Your typical Linux user is probably wise to this. But what about all the Linux users who like to boast about how they installed Linux for their mum/gran, and how they were able to use it despite being a computer ignoramus?

And what about businesses who decide they will make all the receptionists and so on use Linux to save on costs?

Such people are just as clueless whichever OS they run.

2
6
Anonymous Coward

Re: Problem with this idea...

Regarding mum's and receptionists machines:

I've read a lot of comments around the web and know some people who do that. If they give the user su privileges, then said user may be suckered into installing something. However, JDX, do you know of any company that gives it's users su privileges?

Linux is quite suited to the corporate desktop - it's much more simple and customise and lock down.

Have a nice troll!

8
0
Anonymous Coward

Re: Problem with this idea...

"Multiple zero days to get through all the various restrictions of the web browser and the OS kernel is a pretty rare attack indeed"

The Linux kernel alone has well over 900 known vulnerabilities...

0
8
E 2

Re: Problem with this idea...

I can't completely agree - Linux sysadmins generally take security stuff seriously, but I know lots of programmers working on linux boxes who do not.

As well, given distros like Ubuntu that are very easy to install for non-experts, and which pop up that "enter your password" dialog a lot, a trojan will probably succeed.

Back in 2007 the phalanx (phalanx2 ?) rootkit was used very successfully to penetrate a large percentage of thewestern world's linux academic research networks. Those networks were operated by people who understood something about *NIX safety and security... how well do you think the average joe Linux user will fare?

0
1
Vic
Silver badge

Re: Problem with this idea...

> Such people are just as clueless whichever OS they run

If the clueless people don't have the root password, the damage they can do is very much limited...

Vic.

0
0
Linux

Changing targets

I don't think I'm unique in that understanding my wife and kids are going to shop and try to do banking on line, I've set up a PC with Linux for them to use for those purposes. Criminals are probably seeing that trend, as well, and are simply responding to it. When asked why he robbed banks famed criminal John Dillinger reportedly answered, "Because that's where the money is." Don't read more into it than there is.

5
0
Anonymous Coward

Are there enough Linux desktops out there, in uneducated hands, to make a banking trojan worth the effort?

6
0

City traders?

1
0

I guess we'll find out

They're probably testing the market here. I guess if there's no takers, or if the people who buy it find that it doesn't pay them back then it will stop being developed.

If this relies on user intervention to install software (which involves typing an admin password on virtually all linux installs) then I'd be surprised if it's very successful, unless people running linux really do believe that they're bulletproof. I think that's less likely to be true than for example OS X users, who are (massive generalisation here) less tech savvy and more prone to believe the "this OS is secure" hype.

7
0
Anonymous Coward

Lots of developers at Google.

So much for the open source myth. If something builds and runs well do people really spend hours looking at code to spot security weaknesses?

0
12
Anonymous Coward

Re: in uneducated hands

But even the educated make stupid mistakes.

That's what worries me. About me.

0
0
Boffin

China in a few years if their quinquennial plan works out.

0
0
Flame

Re: I guess we'll find out

You can install software on Linux without the admin password, so long as you bypass the package manager and simply copy your files to ~/.mypron. Modify .bash_profile to start your software and you're golden. OK, this is not very sophisticated and its easy to spot if you know where to look, but plenty of folks won't know where to look or even bother (when was that last time you checked your .bash_profile?). I'm sure smarter folk than I can come up with ways to obfuscate all this to the extent that a casual perusal won't reveal anything amiss.

0
2
Silver badge

Re: I guess we'll find out

"You can install software on Linux without the admin password"

Well of course you can, you can also compile your own and run it from within your own account - but you can't readily allow global execution. Neither of these is a subtle introduction of malicious code to a machine

3
0
Linux

Re: I guess we'll find out

"Well of course you can, you can also compile your own and run it from within your own account"

Although this gets difficult when all your user-writable directories are mounted noexec to prevent exactly this.

1
0
Silver badge

Re: I guess we'll find out

That wasn't really the point. I was trying to show that that downloading or compiling a program in a user space wasn't a very subtle way of introducing a malicious program

0
0
Vic
Silver badge

> do people really spend hours looking at code to spot security weaknesses?

Yes.

Vic.

0
0
Vic
Silver badge

Re: I guess we'll find out

> this gets difficult when all your user-writable directories are mounted noexec

...And you've set your users' default shell to /bin/rbash :-)

Vic.

0
0
Roo
Silver badge

I for one welcome our new Desktop Underlords.

The Linux Desktop now has all the classes of applications that the Windows & OS/X refusenix require for their daily desktop experience.

2
0
Silver badge
Linux

Wow - it's finally here!

The Year of Desktop Linux!

You can tell for sure - we finally have our own banking malware.

5
0

Re: I for one welcome our new Desktop Underlords.

"The Linux Desktop now has all the classes of applications that the Windows & OS/X refusenix require for their daily desktop experience."

Yes - but this has been true for years. The snag is, users don't require "classes of applications", they require specific applications. Whilst Libre Office is great (I use it every day), it is not an exact replacement for MS Office. While you can open Office documents in LO, the more complicated stuff doesn't work properly e.g. Excel macros - and you can bet that Microsoft will make sure that compatibility with MS Office remains a moving target.

2
3
Silver badge

At last, Linux is being treated as a mainstream OS.

WHAT'S EADON'S TAKE ON THIS?

2
3
Anonymous Coward

Re: At last, Linux is being treated as a mainstream OS.

He'll blame the code Microsoft submitted to the kernel for it.

0
1
Silver badge
Trollface

Re: At last, Linux is being treated as a mainstream OS.

MICROSOFT FAIL!

2
0
Silver badge
Happy

Re: At last, Linux is being treated as a mainstream OS.

Yes, where is Eadon?

Has he been sent to the Gulag?

Or just on holiday?

0
1
Mushroom

Re: At last, Linux is being treated as a mainstream OS.

Eadon has been erased. It is as if he never existed. Every single one of his 2761 posts have been permanently deleted.

0
0
Silver badge
Unhappy

Re: At last, Linux is being treated as a mainstream OS.

Holy shit! That's some serious Winston Smith action.

2
0
Linux

Re: At last, Linux is being treated as a mainstream OS.

Wow!

What did he do to deserve that?

Just the thought of a mod deleting 2,761 posts, sends shivers.

Was there interesting comment (in that lot), or were they just one liner 'trolling' remarks?

0
0
Silver badge
Unhappy

@Condiment

Eek! Did he cross the line into libel, or something?

0
0
Anonymous Coward

Re: @Condiment

He pissed off Drewc.

0
0
Bronze badge

Re: At last, Linux is being treated as a mainstream OS.

Why? Does that happen to anyone whose account is deleted? or was s/he known to have been employed by someone to troll and was discovered?

0
0
Facepalm

Whoa - slow down there!

"early sign of Linux becoming less secure as cybercrime migrates to the platform"

Linux is as secure or unsecure as ever it has been. Obscurity != Security. Whilst it would be interesting to see a ratio of code complexity vs security bugs, just because more people are trying to exploit a platform, that does not make it less secure, just more financially viable to attack.

16
0
Anonymous Coward

Re: Whoa - slow down there!

"early sign of Linux becoming less secure as cybercrime migrates to the platform" is a particularly silly statement, isn't it? As you've said, more financially viable to attack != less secure, that statement is just an attempt to get publicity.

Sadly it seems to have worked.

3
0

Crucial bit from the linked article

"... since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector."

So conventional sanitary practise should apply.

6
0

Page:

This topic is closed for new posts.