Hand of Thief trojan and your favorite Linux distribution

Linux

The Hand of Thief (HoT) trojan is a commercial form-grabber and backdoor banking trojan released in July (2013) and aimed at Linux distributions. Coding and selling of these type of malware is a big and booming business, supported by the bad guys (the coders) and those worse than they are (individuals, companies and government agencies that patronize them). There are no good guys in that business.

According to an analysis of HoT by Yotam Gottesman, a Senior Security Researcher at RSA’s FraudAction Research Labs, the trojan, like other malware of its type, is designed to do damage while trying to avoid being detected by the infected host’s security system. No surprises there.

The analysis also showed that HoT does not work as advertised, at least not yet. But the interesting part of the result of the analysis that peeked piqued my interest concerns how HoT fared on Ubuntu 12.04 and Fedora 19, two distributions it was tested on.

Related Post:  EFF Tool Offers New Protection Against 'Firesheep'

On Fedora 19, and regarding the trojan’s ability to work as intended, there was no security measure on the distribution that could have stopped it, if not for HoT’s inability to capture meaningful data from Firefox and Google’s Chromium, the two browsers used for the testing and analysis.

However, on Ubuntu 12.04, HoT failed to work. The reason? The researcher found that:

…a protection mechanism named ptrace scope was enabled by default. This protection prevents a process from attaching to a different process even when the user-ID matches (unlike the default Linux behavior). The protection effectively blocked the Trojan from interfering with other processes which rendered the Hand of Thief form-grabber and URL-blocker useless.

There are browser differences in the trojan’s ability to capture meaningful data, but that security mechanism on Ubuntu that rendered HoT’s core function “useless” is the type of security mechanism that should be enabled by default on all distributions.

Related Post:  Quantum Computers Easier to Build: Can Tolerate Faulty or Missing Components, Researchers Say

This is just one trojan, and while it is largely a dud, at least at this stage in its development, there could be more out there, more that we know nothing about. The major distribution developers should take this as a wake-up call. We like to say that Linux is more secure than Windows, but are we prepared for dealing with quality malware like HoT?

One question I wanted to have the researcher answer for me is this: Why did SELinux not stop the trojan from functioning on Fedora 19?

Share:

Share on facebook
Facebook
Share on twitter
Twitter
Share on pinterest
Pinterest
Share on linkedin
LinkedIn

Hola! Did you notice that LinuxBSDos.com no longer run network ads?  Yep, no more ads from the usual suspects that track and annoy you across the Internet. But since I still need to pay to keep the site running, feel free to make a small donation by PayPal or your favorite cryptocurrency.

  • Bitcoin
  • Ethereum
  • Xrp
  • Bitcoin cash
  • Bitcoin sv
  • Litecoin
  • Binance coin
  • Cardano
  • Ethereum classic
Scan to Donate Bitcoin to bc1qzvlte2m224zkayhdc7fdfjkp2rsgt0l5a496ua

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0F4362DFF77F3Ba0Dc637F5f3Eba35D09a2fA60C

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Xrp to r4ggjvL36njsMCYTkJ3S7cTHscPsMsSGQv

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Bitcoin cash to qrs0dedzp9t55af3nfwypydghp29r0xguy9s20fz2k

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Bitcoin sv to 15K9TLyVDBtLuG9cYvXCX9SSkq9C9oUKHK

Donate Bitcoin sv to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin sv

Scan to Donate Litecoin to LetJ9QQMb7u2LMZ9Tu6rtHwcBcQFW98fbG

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Binance coin to bnb1ga8trq08ssqepd90v6225nzfgy448pu5pw8gxp

Donate Binance coin to this address

Scan the QR code or copy the address below into your wallet to send some Binance coin

Scan to Donate Cardano to addr1qx2354yw49etstfljpdhwja3ajjlt487lg95vu9ngy2q6vu4rf2ga2tjhqknlyzmwa9mrm997h20a7stgectxsg5p5esq5l7d9

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Ethereum classic to 0xcD6CC972a2297FcafACDcfE042C55C69516a9264

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Subscribe for updates. Trust me, no spam!

Sponsored links

1. Attend Algorithm Conference, a top AI and ML event.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.

Upcoming events

4 Responses

  1. What default value does ubuntu use for ptrace_scope? If it’s only “1” then it looks like it could easily be circumvented by having the tracer get itself into a position where it can be the parent of the tracee (perhaps by changing the executable in the browsers application desktop file under ~/.local/share/applications)

    Higher values of ptrace_scope look like they would still protect against this unless root was compromised, but unless you want to disable ptrace completely system-wide then it looks like the only reliable way to prevent a process being traced at all is for it to call prctl(PR_SET_DUMPABLE, 0) to disable any attachment to the process. Perhaps this is something all the web browsers should do unless their built with something like –enable-debug.

    Anyway, interesting blog-post and something I wasn’t aware of, so thanks for posting.

      1. Remember the good old days of peek and poke instructions. Anyway back on topic. I’m kind of also wondering why SELinux could not stop the trojan from operating.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the latest

On social media
Via my newsletter

Partner links

1. Attend Algorithm Conference, a top AI and ML event for 2021.
2. Reasons to use control panel for your server.
3. DHgate Computers Electronics, Cell Phones & more.
Hacking, pentesting distributions

Linux Distributions for Hacking

Experts use these Linux distributions for hacking, digital forensics, and pentesting.

Categories
Archives

The authors of these books are confirmed to speak during

Algorithm Conference

T-minus AI

Author was the first chairperson of AI for the U.S. Air Force.

The case for killer robots

Author is the Director of the Center for Natural and Artificial Intelligence.

Why greatness cannot be planned

Author works on AI safety as a Senior Research Scientist at Uber AI Labs.