'Hand of Thief' Banking Trojan Targets Linux

By Robert Lemos  |  Posted 2013-09-04

Cyber-criminals developing malicious software commonly target the Windows operating system, only occasionally aim for Apple's Mac OS X, and very rarely look to compromise desktop systems running Linux.

Yet one developer is doing just that, according to an analysis published by security firm RSA on Sept. 3. The "Hand of Thief" Trojan aims to allow cyber-criminals to compromise more than a dozen different flavors of Linux and grab information from the systems. However, the nascent banking Trojan still is rife with issues and does not have all the necessary features to be an effective attack tool, Yotam Gottesman, senior security researcher with RSA's FraudAction Research Labs, told eWEEK.

"It is a work in progress," he said. "It's very early on in the development process."

Hand of Thief is a departure for attackers: While cyber-criminals have targeted Linux-based Web servers–especially those running open-source content management systems such as Wordpress, Drupal or Joomla–they typically have not created programs to focus on desktop Linux systems.

In early August, RSA described the Hand of Thief Trojan based on claims by the developer that it would run on 15 different desktop Linux distributions and run under eight different windowing environments. Since then, the company has obtained binaries for specific environments and the source code for the command-and-control software. In its analysis released this week, the company concludes that the Trojan is far from ready for distribution. It only runs, for example, on 32-bit Linux distributions and relies on hard-coded configurations to tailor its targeting.

The software comes with a tool, or builder, for creating malware clients that allows would-be cyber-criminals to create uniquely packed variants capable of fooling many signature-based security programs. In addition, Trojans created with the builder have some rudimentary features for detecting whether it is running inside a virtual machine.

The software is not yet active on the Internet, but RSA's researchers were able to obtain a copy and tested it on a machine running Fedora Linux and another running Ubuntu. On both systems, there were some major issues. When a user ran Firefox, the Trojan failed to collect any information, while under Google's Chrome browser, the Trojan did not have any mechanism for culling only the important information from the infected system.

"This means that the malware captured every single request from the browser in a very generic manner," Gottesman wrote in the analysis. "Grabbing requests in this manner will quickly clutter the drop server with useless data."

The software is currently being sold for $2,000, with the developer promising free updates. While the software is currently unfinished, it could eventually have full capabilities, including injecting content into banking Websites and better exfiltration and filtering features, the researcher said.

"Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data," Gottesman wrote in the analysis.

Rocket Fuel