Hand of Thief trojan and your favorite Linux distribution

The Hand of Thief (HoT) trojan is a commercial form-grabber and backdoor banking trojan released in July (2013) and aimed at Linux distributions. Coding and selling of these type of malware is a big and booming business, supported by the bad guys (the coders) and those worse than they are (individuals, companies and government agencies that patronize them). There are no good guys in that business.

According to an analysis of HoT by Yotam Gottesman, a Senior Security Researcher at RSA’s FraudAction Research Labs, the trojan, like other malware of its type, is designed to do damage while trying to avoid being detected by the infected host’s security system. No surprises there.

The analysis also showed that HoT does not work as advertised, at least not yet. But the interesting part of the result of the analysis that peeked piqued my interest concerns how HoT fared on Ubuntu 12.04 and Fedora 19, two distributions it was tested on.

On Fedora 19, and regarding the trojan’s ability to work as intended, there was no security measure on the distribution that could have stopped it, if not for HoT’s inability to capture meaningful data from Firefox and Google’s Chromium, the two browsers used for the testing and analysis.

However, on Ubuntu 12.04, HoT failed to work. The reason? The researcher found that:

…a protection mechanism named ptrace scope was enabled by default. This protection prevents a process from attaching to a different process even when the user-ID matches (unlike the default Linux behavior). The protection effectively blocked the Trojan from interfering with other processes which rendered the Hand of Thief form-grabber and URL-blocker useless.

There are browser differences in the trojan’s ability to capture meaningful data, but that security mechanism on Ubuntu that rendered HoT’s core function “useless” is the type of security mechanism that should be enabled by default on all distributions.

This is just one trojan, and while it is largely a dud, at least at this stage in its development, there could be more out there, more that we know nothing about. The major distribution developers should take this as a wake-up call. We like to say that Linux is more secure than Windows, but are we prepared for dealing with quality malware like HoT?

One question I wanted to have the researcher answer for me is this: Why did SELinux not stop the trojan from functioning on Fedora 19?

Related Posts

How to create a Twitter Sentiment Analysis using R and Shiny Every time you release a product or service you want to receive feedback from users so you know what they like and what they don’t. Sentiment Anal...
Wireless Phones Can Affect The Brain, Swedish Study Suggests A study at Örebro University in Sweden indicates that mobile phones and other cordless telephones have a biological effect on the brain. It is still t...
Anaconda on root and user account password strengths: Why so strict? So the third alpha release of what will become Fedora 22 has been released and I've managed to download ISO installation images of the main edition, w...
Weave introduces ‘Gossip’ DNS service discovery for containers WeaveDNS is a service discovery solution for containers on Weave (network), a a networking solution for Docker containers from Weaveworks. WeaveDNS...
K Means Clustering in R K Means Clustering is an unsupervised learning algorithm that tries to cluster data based on their similarity. Unsupervised learning means that th...
Don’t laugh, but the US has charged 5 Chinese military hackers with cyber espionage I don't know what category to fit this one in. I can't even bring myself to laugh, even though it makes for a good laugh. All I can do is shake and sc...

We Recommend These Vendors and Free Offers

ContainerizeThis 2016 is a free, 2-day conference for all things containers and big data. Featured, will be presentations and free, hands-on workshops. Learn more at ContainerizeThis.com

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


  1. What default value does ubuntu use for ptrace_scope? If it’s only “1” then it looks like it could easily be circumvented by having the tracer get itself into a position where it can be the parent of the tracee (perhaps by changing the executable in the browsers application desktop file under ~/.local/share/applications)

    Higher values of ptrace_scope look like they would still protect against this unless root was compromised, but unless you want to disable ptrace completely system-wide then it looks like the only reliable way to prevent a process being traced at all is for it to call prctl(PR_SET_DUMPABLE, 0) to disable any attachment to the process. Perhaps this is something all the web browsers should do unless their built with something like –enable-debug.

    Anyway, interesting blog-post and something I wasn’t aware of, so thanks for posting.

  2. it’s piqued, not peeked.

Leave a Comment

Your email address will not be published. Required fields are marked *