PDA

View Full Version : Linux “HoT” bank Trojan: Failed malware



Linuxratty
September 10th, 2013, 07:09 PM
Oh and Ubuntu is mentioned.


Initially it looked like the "Hand of Thief" (HoT) Trojan would be the first successful Linux Trojan. However, further investigation by RSA, the Security Division of EMC, reveals that the Hand of Thief is just another in a long line of so-called Linux malware that's more bark than bite.
http://www.zdnet.com/linux-hot-bank-trojan-failed-malware-7000020436/

grahammechanical
September 11th, 2013, 11:58 AM
"Blocked from running at all on Ubuntu Linux."

Is that due to the insistance on sudo? Things will get even better when Click packaging becomes standard for Ubuntu applications. I also think it shows the wisdom of installing Ubuntu Software Centre applications and being very careful about downloading software from web sites.

Regards.

philinux
September 11th, 2013, 12:53 PM
I also think it shows the wisdom of installing Ubuntu Software Centre applications and being very careful about downloading software from web sites.

Regards.

+1. I think the only package I got from the web was ubuntu-tweak. I don't even use that now.

Linuxratty
September 11th, 2013, 02:26 PM
Things will get even better when Click packaging becomes standard for Ubuntu applications. I also think it shows the wisdom of installing Ubuntu Software Centre applications and being very careful about downloading software from web sites.

Regards.

Yes,unless someone can get sudo, they can't do diddly. I also only get things through the repositories.
What is click packaging?

Never even used ubuntu-tweak.

philinux
September 11th, 2013, 02:37 PM
What is click packaging?


See this http://ubuntuforums.org/showthread.php?t=2142381&p=12708517&viewfull=1#post12708517

deadflowr
September 11th, 2013, 09:43 PM
"Blocked from running at all on Ubuntu Linux."

Is that due to the insistance on sudo? Things will get even better when Click packaging becomes standard for Ubuntu applications. I also think it shows the wisdom of installing Ubuntu Software Centre applications and being very careful about downloading software from web sites.

Regards.

It's even better then that.
From the RSA blog, they say the tested it on 12.04 and it turns out that ptrace scope is enable by default, making the code unable to attach itself to other processes.
So not only would you have to install it yourself, but on Ubuntu you'd have to disable ptrace scope as well.
Not something any noob, or even moderately capable user would do.
https://blogs.rsa.com/rsa-peeks-into-the-bits-of-new-linux-based-trojan-hand-of-thief/

John_McCourt
September 12th, 2013, 08:02 AM
unless someone can get sudo, they can't do diddly

Wrong. You can send emails without sudo, you can make http get requests without sudo, you can connect to another ssh server without sudo, you can add items to your current user startup without sudo, you can scan your local network without sudo, you can access your webbrowser history without sudo, you can run shell scripts without sudo, you can ping without sudo...


So all the bad guy needs to do is find a way to execute evil code on your machine to do all these things. Is it possible to execute bad code without sudo? Check the Ubuntu USN for more information. Sometimes applications in Ubuntu have security flaws which can be exploited by malicious hackers. There was even a case of the repository servers being hacked. Even these forums have been hacked due to bad security practice and (web) applications which weren't patched correctly.

Bottom line, it's important to keep all your Ubuntu machines up to date. That will help protect your from the vulnerabilities shown in the page I suggested. But you'll never be 100% safe from new vulnerabilities.

PS. when a Linux box does get hacked, the hacker doesn't always make it easy to find. Quite often they delete log records, or do things that are hard to notice. For example, do you know exactly which background processes are starting when you log into your ubuntu account? A hacker could add something in there that quietly makes you part of a botnet and you wouldn't even noticed. If you're hosting a web server he could create a sub folder or add something to your apache conf. So don't ever think or say "I've been using Ubuntu for years and I haven't been hacked yet", because the likelyhood is that you don't really know what is going on with your box and it's impossible to keep track of every file on your machine.

Yougo
September 12th, 2013, 08:14 AM
i think it's pretty easy to trick a user into giving sudo away. just fake an apport bug report like dialogue or some other fake gksu dialogue and people will happily give their sudo to whatever script is running behind it. once you do that, it's not your machine anymore.

put a delay on the pop-up so people won't relate it to that thing they clicked on that website 45 minutes ago. it all runs in the background, adding users, groups, opening ports, grepping stuff from who knows where...

granted, the weak spot would still be BKAC, but that's how easy it is.

Tinker Tantrum
September 12th, 2013, 12:42 PM
It's good to see that the good folks at Canonical have our backs, and as always: YAY Linux!