Hand Of Thief Trojan: More Linux Virus FUD?

by Paul Arnote (parnote)

To be perfectly honest, I started to write an article about the "new" Linux trojan virus, Hand of Thief, back in August when it was originally announced. I originally had plans to run the article about it in the September issue of The PCLinuxOS Magazine. But something inside of me told me to wait until the dust settled. I am glad that I waited.

Originally touted as one of the first successful banking trojan viruses for Linux, Hand of Thief turns out to be just more FUD (Fear, Uncertainty and Doubt). Back in August the RSA, the security branch of EMC, reported that a group of Russian cybercriminals was looking to offer a new banking trojan that targeted the Linux operating system. That banking trojan is/was called "Hand of Thief," hereinafter referred to as HoT.

Original Claims

The developer of HoT originally claimed that it had been tested on 15 different Linux distributions, including Fedora, Ubuntu and Debian. It isn't clear if PCLinuxOS was one of the distributions that was included in the 15-distribution test group. It was also reported that it was tested on eight different desktop environments, including Gnome and KDE. Original reports also stated that it worked on common web browsers, such as Firefox, Chrome, Chromium, Aurora and Ice Weasel.

HoT was supposed to work as a "form grabber." These work by grabbing information you enter into a form, such as your identity, any credit card information, the name of the site you are on, a timestamp of when you were on, which websites you've visited, and possibly any cookies you have stored on your computer. It then sends that information to a command server. Once your information is recorded, it is then sold to crooks, and then you see your credit card bills soar as they go on a shopping spree.

HoT also contains code to block antivirus sites. It does this by manipulating DNS addresses within memory, rather than by doing something as obvious as changing your hosts file. By blocking access to antivirus sites, it enhances HoT's ability to hide on your computer.

HoT was offered up for sale for an initial $2,000, with some prices expected (at the time) to top $3,000 for a copy of the banking trojan. Sounds pretty scary, huh? Well, that's the way things were supposed to work.

What really happened

In the end, the only ones who really lost with HoT were those cybercriminals who paid $2,000+ for the banking trojan. After analysis, IT security specialists ended up with the verdict that HoT's bark was way worse than its bite. As malicious software, it failed on many fronts. According to Yotam Gottesman, an RSA Senior Security Researcher, the company obtained the HoT code builder and created HoT binaries. Gottesman reports that HoT has no real functionality. "Our research and analysis shows that, in reality, HoT's grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan."

Strike 1: HoT's builder is a Windows application that runs on Linux, under Wine.

Strike 2: HoT ended up not actually affecting all browsers. Instead, it simply exploited a since-patched security vulnerability in the Google Chrome browser.

Strike 3: As malware, HoT fails miserably, and in the most fundamental way: it requires the user to deliberately install it. This might work well under Windows, with its very vulnerable and naive users, but Linux users tend to have a bit more sense than that.

Strike 4: When attempting to run HoT under Firefox, it would simply cause Firefox to crash. Under Google Chrome, HoT simply grabbed useless data.

HoT ended up being nothing more than a prototype. Quite simply, it sucked at gathering data. The HoT virus builder does seem to enable virus makers to make new variants of HoT, and it does create 32 bit Linux ELF (Execute and Linking Format) executable files.

The developer of HoT has stated that he is in the process of finalizing a web injection mechanism, but the RSA doesn't think that it's of any concern -- at least at this time. Given how poorly HoT works at gathering data and how the form grabber doesn't seem to work, the RSA doesn't think that his web injection mechanism is anything to fear.

Lessons?

In the end, the responsibility for the security of our computer systems rests with only one person: the end user. We -- Linux users -- are fortunate to be running an operating system as secure as what we have been given. Still, all the security in the world cannot stop the actions of a naive user.

Opening up suspicious emails is a bad idea. Clicking on unknown links is a bad idea. But we already knew that, now didn't we? Similarly, follow the time honored PCLinuxOS credo of never installing packages from outside of the official PCLinuxOS repository, since all of the packages in the PCLinuxOS repository have been built and tested by reputable developers who have nothing but the best interest of PCLinuxOS and its users in mind. You never are quite sure of the quality or reputation of packages from outside of the PCLinuxOS repository, so even packages from supposedly reputable outside sources can be suspect.

Simply applying some common sense and adhering to these simple "rules", PCLinuxOS users can go a long way towards keeping themselves safe from whatever harm cybercriminals might want to send our way.