Hand of Thief Linux Trojan fails to work as promised
Posted on 03.09.2013
RSA researchers have recently spotted a banking Trojan targeting Linux systems being sold online by a cybercrime team based in Russia.

Dubbed Hand of Thief by its creator(s), the malware apparently has form grabbing and backdoor capabilities, and is able to block the victims' access to hosts offering AV solutions and security updates. It also purportedly works on 15 different Linux desktop distributions and supports 8 different desktop environments.

Well, the same researchers have managed to get their hands on the HoT Trojan builder, allowing them to build, test and analyze HoT binaries - and the verdict is not good for the creator, sellers or the buyers.

"The Trojanís executable is a 32-bit compiled ELF, and as such, will only run on 32-bit versions of the Linux OS (running HoT on a 64-bit machine would require some workarounds)," Yotam Gottesman, a senior researcher with RSA FraudAction Research Labs, explained in a blog post.

As far as the configuration file is concerned, the difference between this malware and similar ones is that the file is embedded into the binary by its builder - meaning that in order to change the information in it, the botmaster must build a new version of the binary and update its botnet with it.

The file is also versatile, and allows the botmaster to make a number of changes to the functioning of the malware, including updating a list of URLs which the Trojan is to block access to (e.g. sites for downloading AV updates).

"This part of the Trojanís functions was accurately described by its vendor and confirmed by the actual analysis of the builder and config file," Gottesman notes, and adds that also (as announced) the developer is working at implementing the web-injection mechanism for the Trojan.

But the promise of it working on a variety of Linux desktop distributions, environments and browsers has not been fulfilled.

They tried to run the binary on a couple of test machines running Fedora 19 and Ubuntu 12.04, and default Firefox and Google Chrome versions, but the browsers either freezed or crashed, or the malware was able to grab requests indiscriminately, quickly creating clutter at the drop server, or the malware didn't work at all because of the OS' protection mechanism. On one occasion, it even showed a ďgreetingĒ screen on the infected machineís active terminal - and all of this isn't very conducing to a stealthy and successful operation.

"Although it initially appeared to be a compelling new Trojan entrant, RSAís in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data. Furthermore, HoT can also be easily removed from the machine by deleting the files dropped during the HoT installation process," Gottesman points out.

"Hand of Thiefís developer claims that he is in the final stages of implementing a web-injections mechanism, but since the Form grabber he designed is not functional on the browsers he claims to have tested, the injections are not very likely to work either."


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th