Linux banking trojan spotted in the wild
Until now, Linux users could sit back and relax when the talk turned to viruses, trojans and other malware: they weren’t a problem. As a result of the small numbers of Linux desktop users and the positive flipside of the the lack of Photoshop, iTunes et al., malicious software in the Linux world has been limited to two classes: demonstrations for exploits that have never been seen “in the wild” and targeted attacks on server software vulnerabilities.
This golden age for Linux users could now be drawing to a close. Security specialist Limor Kessem from RSA has written on her blog about the “Hand of Thief” banking trojan, which only attacks Linux machines and is currently being offered for sale in underground forums for U.S. $ 2,000 with free updates. It has been developed by a cybercrime team based in Russia.
The trojan’s developer claims it has been tested on 15 different Linux desktop distributions, including Ubuntu, Fedora and Debian. It includes a form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome and several other Linux-only browsers, such as Chromium, Aurora and Iceweasel. As for desktops, the malware supports 8 different environments, including Gnome and KDE.
The malicious code also incorporates virtual machine detection designed to make it more difficult for security researchers to unpick its secrets, as well as routines to block access to security updates or access to the websites of anti-virus vendors..
“Hand of Thief” exploits no special Linux security holes; the user has to install him/herself it by e.g. by opening an email attachment without checking it first or installing it from sources other than the recommended repositories of his/her Linux distribution.