[sf-lug] Linux Trojan available to thieves

Rick Moen rick at linuxmafia.com
Thu Aug 8 14:21:11 PDT 2013 

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> 
> Hand of Thief is the name of it and the story is at the url below.
> I was there reading
> a story about a program for Linux to run Mac softwares.
> 
> <http://arstechnica.com/security/2013/08/hand-of-thief-banking-trojan-doesnt-do-windows-but-it-does-linux/>

The interesting thing about trojans -- and something essentially never
mentioned by security firms that make money off selling people magic
protection and spooking them -- is that the trojan is inevitably a
passive payload, a secondary aftereffect of an _actual_ security 
breach.

The referenced news story, as usual, utterly fails to mention by what
mechanism if at all one might come to install the trojan.  It merely
assumes and starts with someone having done so, and then discusses what
the locally installed undesired process then does.

News flash:  If you can somehow convince a computer user to install a
trojan from nowhere-in-particular-and-nobody-in-his-right-mind-would, 
then the trojan can and will do anything its user authority permits.
So, the Arstechnica story really says nothing.

The linked blog posting at RSA Security is
https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/
, and is pretty much typical rubbish, again utterly failing to say even
Word One about what user error, horrible neglect of basic software
maintenance, or other mechanism would cause the trojan kit to be
installed.  About the only thing that can be determined from it is that
the trojan doesn't appear to include any code to attempt privilege
escalation, hence the user is apparently induced to somehow shoot only
his/her user authority in the foot, not compromising his/her whole
system.

Which among other things means that the vector of entry could be
something as prosaic and uninteresting as stolen ssh tokens lifted from
a user ssh'ing INTO the target server from a shared host elsewhere that
has been security compromised, and not a weakness in the target server's
software at all.

In the future, when you see these articles, the key thing to look for is
'How does this get run?'  When, as is almost always the case, they
cannot be bothered to say, then it's just the usual self-promotion
rubbish from security firms.



> The story mentions infected Linux servers with another malicious
> software as well.

  'The number of Linux machines running Apache and other Web servers
  that are infected by Darkleech and similar exploits --recently
  estimated to be in the 20,000 range [link] --suggests the platform
  isn't out of the reach of motivated attacker'

All together now:  'How does this get run?'

Neither the Arstechnica piecde nor the linked article cited from the
above paragraph has anything meaningful to say about that.

So:  The usual rubbish.


>     Also an Android trojan.

All together now:  'How does this get run?

Nothing.  Doesn't say.  Not a word.  

Again:  Trojans are a dime a dozen to write, just like ELF infector
viruses.  They don't themselves attack, and aren't even very
interesting; they are consequences (aftereffects) of security compromise
by other means. 

And please remember going forward:  The standard of quality in articles
about malware in the IT press (including Arstechnica) is abysmal, and
seldom rises above quoting scaremongering and vague self-promotion from
the security industry.  Please read with heightened skepticism.

More information about the sf-lug mailing list