Linux 'Hand of Thief' Trojan offered for sale at $2,000 a time

Russian gang tries its luck

Researchers have discovered a Trojan capable of attacking multiple Linux distros being offered for sale by enterprising Russian criminals for $2,000 (£1,300) a time. Time for Linux users to worry or is this another speculative attack?

Linux malware has hitherto been a vanishingly small subject with most of the recent examples being attacks on Apache web servers. When desktop-oriented attacks turn up they are usually experimental, the work of a curious programmer that are not heard of again. A good example would be the Snasko rootkit from 2012.

What has been discovered by RSA is a malware-building kit for a programme called 'Hand of Thief', the name given to the platform by its creators rather than the researchers.

The malware is designed to steal data from Linux systems, apparently running any one of 15 distributions and eight environments (i.e Gnome, KDE) the developer claims to have tested it on, including Ubuntu, Fedora and Debian.

Specifically, it includes a form-grabbing function for use against Firefox, Chrome and Linux-only browsers such as Chromium, Aurora and Weasel, including capturing HTTPS sessions. In non-technical parlance, it will steal any credentials it can under the directions of a bot system which collects what it steals in an SQL database.

"Writing malware for the Linux OS is uncommon, and for good reason. In comparison to Windows, Linux's user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains," said RSA cyber intelligence expert, Limor Kessem.

"Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users."

The criminals selling Hand of Thief thought that infecting Linux systems was likely to be so difficult that an attacker would need to use social engineering to install the malware, she said.

The criminals developing the software suggest it could eventually be turned into a banking malware platform at which point the price would rise to $3,000 a time plus a further $550 for upgrades.

How seriously should Linux users take this kind of threat? It looks as if the crime ware group has got ahead of itself. Kessem notes that even the $2,000 price is expensive by malware standards while the idea of targeting a small base of Linux users with commercial banking malware sounds fanciful.

Why buy software to target 0.5 percent of the world's desktops when a programme costing a third as much can be used to attack the 94 percent running Microsoft's software?

If Linux users were to have any attraction to criminals it would likely be to steal server and system credentials to be used as part of a recon in advance of an APT-style attack.

"Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty," said Kessem.