ID: IRCNE2013091950
Date: 2013-09-09
According to "techworld", the ‘Hand of Thief’ (HoT) Linux banking Trojan that was offered for sale on the criminal underground this summer is a primitive "prototype" that poses little real threat to users of the OS, a new analysis by RSA has reported.
The firm’s researchers fired up HoT’s Windows bot builder programme, using it to create a working binary for test purposes. Immediately, they started noticing inefficiencies in its design such as the need to generate a new binary every time basic configuration changes were made.
Under Fedora 19, while HoT was able to infect the machine but also caused the Firefox Linux browser to crash and freeze, and turned out to capture unnecessary amounts of data that would have complicated the task of stealing credentials.
Under Ubuntu 12.04, HoT failed to work at all thanks to this distribution’s ptrace scope protection. Even disabling this made little difference as the browser suffered similar crashes and the malware proved unable to capture anything.
A more general weakness was the lack of commercial exploit packs for Linux that are commonly used to automate drive-by campaigns against Windows users, RSA said.
“Hand of Thief has come to the cybercrime underground at a time when commercial Trojans are high in demand, stirring some excitement amongst criminals,” said RSA’s Yotam Gottesman, who conducted the analysis.
The malware could also easily be removed from an infected Linux system simply by deleting files dropped during install.
Linux malware, of course, is incredibly rare and the dramatic-sounding Hand of Thief malware would have been the first designed to attack online bank access on the OS.
To date, HoT has not been detected in real-world attacks.
- 3