'Hand of Thief' banking Trojan reaches for Linux – for only $2K Cybercrooks have created a banking Trojan that targets Linux users, which is been touted for sale on underground cybercrime forums for just $2,000 a pop. The "Hand of Thief" malware is a rare example of malicious code written especially to target the open-source operating system. The digital nasty includes form-grabbers for …
"early sign of Linux becoming less secure as cybercrime migrates to the platform"
Linux has always been horrifically insecure. What they mean is that someone finally bothered to write some malware to target the tiny ~1% market share that it commands on the desktop...
I can't agree with that, the only issues I have ever had has been due to other programs running on the OS (Where by the program is not used how I would expect) or me being a plank when configuring something (I can equally configure something wrong on Windows like a plank as well). I think at least some examples should be provided to back your statement.
I've never concurred with the opinion that Linux was inherently safer than Windows in the sense of "you don't have to worry about it" which is too frequently the context in which the statement is used. It is in the sense that if you are security aware you CAN lock it down.
I'd also quibble over whether it is moving toward being less secure. Historically it has also been more secure in its default configuration. In the sense that the default configurations are becoming less secure it is true, but the ability to lock it down properly is still there. Also Windows has been asymptotically approaching Linux security in its ability to be locked down, but does look like it will always be asymptotically approaching approaching it.
Ultimately the security of any system rests in the hands of the people who administer them. Which can be a really scary thought in the consumer market.
"Please explain how."
Here are a few:
Extreme levels of vulnerabilities - well over 900 in the kernel alone.
Weak security model - no proper ACLs without using 'experimental' NFS 4.1 filesystem.
No constrained delegation - Reliance on weak security tools that must run with root privileges like SUDO.
Weak control model - hacks like SEL are required to provide control and lockdown.
If you look at a market where Linux is actually used like Webservers, you are much more likely to be hacked running Linux than Windows server.
> Extreme levels of vulnerabilities - well over 900 in the kernel alone.
I would like to see that.
Actually, if there are "900 vulnerabilities", there must have been a monster QA effort top actually find them in the first place. Hmmm...
> no proper ACLs without using 'experimental' NFS 4.1 filesystem.
What has NFS got to do with anything? Are you using NFS and pretending at security? Retarded much?
> No constrained delegation - Reliance on weak security tools that must run with root privileges like SUDO.
Never been a problem. Are you letting your users run wild on the machine? Are your stupid?
> Weak control model - hacks like SEL are required to provide control and lockdown.
About as much a "hack" as this. Anything else?
> If you look at a market where Linux is actually used like Webservers, you are much more likely to be hacked running Linux than Windows server.
Reality says no.
Most trojans rely on stupid users installing crap and clicking through permissions and warnings. If you're working in a GUI the steps are almost the same in Linux and Windows, whatever the fanboys of both sides want to say about it. Multiple zero days to get through all the various restrictions of the web browser and the OS kernel is a pretty rare attack indeed. It happens through public services more readily, but those aren't used by end users for purposes a banking trojan would care about.
The problem with this idea is pretty simple. If someone has bothered to install Linux, what are the odds they're going to blindly allow your trojan to install itself and execute? Double that since the culture of Linux isn't like Windows users who go online to find software anywhere, a Linux user is normally looking in their own repository or rolling packages from source.
Quite right. Basic Safe Surfing practice means you avoid the vast majority of malware. (I personally advise against antivirus software. It is more trouble than it's worth and tends to lull users into a false sense of security)
Mind you, there is a lot of malware that can get in via javascript exploits in browsers, and there are quite a few privelege escalation exploits running around.
Javascript remote code execution exploit + privelege escalation + rootkit = one pwned box, with no permission boxes to click through.
The most effective defence per unit of user inconvenience, IMO, is to turn off javascript by default (only for selected domains), using something like NoScript (or NotScripts in Chrome). It has an added bonus of blocking almost all adverts and invasive trackers, whilst leaving non-intrusive HTML-only adverts alone.
Your typical Linux user is probably wise to this. But what about all the Linux users who like to boast about how they installed Linux for their mum/gran, and how they were able to use it despite being a computer ignoramus?
And what about businesses who decide they will make all the receptionists and so on use Linux to save on costs?
Such people are just as clueless whichever OS they run.
Regarding mum's and receptionists machines:
I've read a lot of comments around the web and know some people who do that. If they give the user su privileges, then said user may be suckered into installing something. However, JDX, do you know of any company that gives it's users su privileges?
Linux is quite suited to the corporate desktop - it's much more simple and customise and lock down.
Have a nice troll!
I can't completely agree - Linux sysadmins generally take security stuff seriously, but I know lots of programmers working on linux boxes who do not.
As well, given distros like Ubuntu that are very easy to install for non-experts, and which pop up that "enter your password" dialog a lot, a trojan will probably succeed.
Back in 2007 the phalanx (phalanx2 ?) rootkit was used very successfully to penetrate a large percentage of thewestern world's linux academic research networks. Those networks were operated by people who understood something about *NIX safety and security... how well do you think the average joe Linux user will fare?
I don't think I'm unique in that understanding my wife and kids are going to shop and try to do banking on line, I've set up a PC with Linux for them to use for those purposes. Criminals are probably seeing that trend, as well, and are simply responding to it. When asked why he robbed banks famed criminal John Dillinger reportedly answered, "Because that's where the money is." Don't read more into it than there is.
They're probably testing the market here. I guess if there's no takers, or if the people who buy it find that it doesn't pay them back then it will stop being developed.
If this relies on user intervention to install software (which involves typing an admin password on virtually all linux installs) then I'd be surprised if it's very successful, unless people running linux really do believe that they're bulletproof. I think that's less likely to be true than for example OS X users, who are (massive generalisation here) less tech savvy and more prone to believe the "this OS is secure" hype.
You can install software on Linux without the admin password, so long as you bypass the package manager and simply copy your files to ~/.mypron. Modify .bash_profile to start your software and you're golden. OK, this is not very sophisticated and its easy to spot if you know where to look, but plenty of folks won't know where to look or even bother (when was that last time you checked your .bash_profile?). I'm sure smarter folk than I can come up with ways to obfuscate all this to the extent that a casual perusal won't reveal anything amiss.
"You can install software on Linux without the admin password"
Well of course you can, you can also compile your own and run it from within your own account - but you can't readily allow global execution. Neither of these is a subtle introduction of malicious code to a machine
"The Linux Desktop now has all the classes of applications that the Windows & OS/X refusenix require for their daily desktop experience."
Yes - but this has been true for years. The snag is, users don't require "classes of applications", they require specific applications. Whilst Libre Office is great (I use it every day), it is not an exact replacement for MS Office. While you can open Office documents in LO, the more complicated stuff doesn't work properly e.g. Excel macros - and you can bet that Microsoft will make sure that compatibility with MS Office remains a moving target.
Eadon has been erased. It is as if he never existed. Every single one of his 2761 posts have been permanently deleted.
"early sign of Linux becoming less secure as cybercrime migrates to the platform"
Linux is as secure or unsecure as ever it has been. Obscurity != Security. Whilst it would be interesting to see a ratio of code complexity vs security bugs, just because more people are trying to exploit a platform, that does not make it less secure, just more financially viable to attack.
"early sign of Linux becoming less secure as cybercrime migrates to the platform" is a particularly silly statement, isn't it? As you've said, more financially viable to attack != less secure, that statement is just an attempt to get publicity.
Sadly it seems to have worked.
"... since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector."
So conventional sanitary practise should apply.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
