First Banking Trojan for Linux in the Wild

[vezzy]

Source: http://www.zdnet.com/linux-desktop-trojan-hand-of-thief-steals-in-7000019175/

For years, Linux desktop users had it easy.  Their Windows brothers and sisters had to deal with an unending stream of malware; but other than a handful of exploits aimed mostly at Linux servers, there were no real Linux Trojans or viruses. Oh well, all good things must come to an end.

RSA, the Security Division of EMC, has reported that a "Russia-based cybercrime team has set its sights on offering a new banking Trojan targeting the Linux operating system: Hand of Thief."

This appears to be a variation on a very common theme in contemporary Windows malware: A banking Trojan.

Here the name of the game is to grab your personal login and password data with a "Form grabber" as you enter it into your bank or other online system. This information consists of your stolen credentials, the timestamp of when you visited a site, which Web sites you visited, and possibly your Web browser's cookies. Finally, all this is then passed on over the Internet to a command-and control server. From there the crooks can get to work selling your information to people who will start running up your credit-card bills.

Hand of Thief also includes a mechanism to prevent users from accessing anti-virus sites. This seems to work by manipulating Internet Domain Name System (DNS) addresses within memory rather than doing some obvious such as changing records in your hosts file.

Its developer claims "it has been tested on 15 different Linux desktop distributions, including Ubuntu, Fedora, and Debian. As for desktop environments, the malware supports 8 different environments, including Gnome and KDE." The attack specifically targets common Web browsers Firefox, Google Chrome, as well as several other that others that are often found on Linux such as Chromium, Aurora, and Ice Weasel.

At this point, some Linux users may start pooh-poohing this as yet another case of virus FUD. It's not. Hand of Thief really is out there. I should know. Someone tried to give a case of it to me earlier today.

Fortunately, as Limor Kessem, one of RSA's top cyber Intelligence experts, wrote after a conversation with the Trojan's "sales agent," Hand of Thief has no good ways of infecting Linux users. Instead, the cracker "suggested using email and social engineering as the infection vector."

Practically speaking that means you shouldn't be clicking on any strange URLs sent to you over social media or by e-mail. But, you already knew that? Right? Right!?

By the way, that wasn't a mistake when I said "sales agent." Like a lot of modern malware, Hand of Thief is designed by criminals for criminals. As Kessem wrote, "This malware is currently offered for sale in closed cybercrime communities for $2,000 USD (€1,500 EUR) with free updates." When it goes "commercial," its "price is expected to rise to $3,000 USD (€2,250 EUR), plus a hefty $550 per major version release. "

That, by the way, is about the price that similar Windows malware kits go for in today's black market. That makes Hand of Thief, considering its small potential number of targets, quite expensive.

While Linux is still inherently more secure than Windows, it, like any other operating system, is not perfectly secure. Now, more than ever, desktop Linux users need to practice basic security if they're to be safe on the ever more dangerous Internet.

This is really nothing special technically. It's probably some packaged binary that a user will download, run, get a gksudo prompt and voila, it hijacks your browser traffic. Yet it shows that people are getting more interested in attacking Desktop Linux users. Of course, the media are hyping this up as if Linux's security has been compromised or something.

I guess Ubuntu users will fall for this.

[Thor]

I seriously doubt this will catch on.

Most criminals won't want to waste time with such a small target audience. Although there are lots of linux users out there (myself included), most of them are tech savvy and will know better than to run random binaries they receive in emails.
The criminals will still prefer to target Windows because of it's larger user base (with lots of "dumb" users), and because of the large availability of exploit kits which target windows making it much easier to get successful infections.

[proxx]

I seriously doubt this will catch on.

Most criminals won't want to waste time with such a small target audience. Although there are lots of linux users out there (myself included), most of them are tech savvy and will know better than to run random binaries they receive in emails.
The criminals will still prefer to target Windows because of it's larger user base (with lots of "dumb" users), and because of the large availability of exploit kits which target windows making it much easier to get successful infections.

I agree , however as Vezzy said a lot of ubuntu users will probably be around the same level as the average windows user.
It all comes down the user once more, flash , java and similar are probably just as exploitable on linux.

[Axon]

An expensive trojan combined with the fact that Linux users are few in numbers compared to windows users worldwide. I don't see a bright future for this crap, unless the user is stupid enough to get infected

However, developing Linux malwares is in my opinion a complete waste of time, if you want the big stake, simply go for windows or mac.

[edu19]

A trojan for Linux should exploit a vulnerability that requires little and "safe" user interaction like visiting a website, playing a video, etc. But then it wouldnt last long. The vuln would be patched and AV softwares would detect the code, unless it uses polymorphism. At times you see an entire page at securityfocus for Linux vulnerabilities and software running on linux, like webbrowsers for example. They could do it a lot more, but since the majority of users are on Windows and are stupid as hell, they prefer to send out exe´s with less common extensions like .PIF, .COM, .SCR, .CMD or double extension ".jpg.scr" to try to mislead the user. There  have been extension spoofing vulns in IE and there is a LOT of file types in Windows that can run code, by design but the malware writers keep on these because they simply rename their exe to .com, .cmd, .scr etc and voila. Actually most of them are skiddies using plain social engeneering.