Cybercrooks have created a banking Trojan that targets Linux users, which is been touted for sale on underground cybercrime forums for just $2,000 a pop.
The "Hand of Thief" malware is a rare example of malicious code written especially to target the open-source operating system. The digital nasty includes form-grabbers for HTTP and HTTPS sessions running on a variety of browsers as well as routines to block access to security updates or access to the websites of anti-virus vendors.
The malicious code also incorporates virtual machine detection designed to make it more difficult for security researchers to unpick its secrets.
Limor Kessem, a security researcher at RSA, reports that the Linux banking Trojan tool is on sale in underground cybercrime forums for $2,000, an introductory offer price that is likely to rise to $3,000 as new features are added.
"The current functionality includes form-grabbers and backdoor capabilities, however, it’s expected that the Trojan will have a new suite of web injections and graduate to become full-blown banking malware in the very near future," Kessem writes. "At that point, the price is expected to rise to $3,000 (€2,250 EUR), plus a hefty $550 per major version release."
The Russian cybercrooks behind the Trojan claim it has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian, and eight different desktop environments, including Gnome and Kde.
RSA researchers managed to obtain the malware-builder as well as the server-side source code before putting together a write-up on the capabilities of the malware.
There are millions of different strains of Windows malware, so many that most antivirus vendors have given up counting them. Cybercrooks produce so many as part of a strategy to overwhelm, or at least delay, the creation and application of security defences.
Android malware is also a growing problem, with 718,000 malicious and high risk Android apps collected by Trend Micro at the end of June.
There are a far lower number – perhaps hundreds – of malicious Mac OS X apps, and an even smaller number of nasties that affect Linux. Most of the Linux malware created so far affects servers instead of desktops, so the Hand of Thief is doubly rare.
The creation of Hand of Thief shows that cybercrooks think there's a market for tools that lift banking credentials from the boxes of Linux users, perhaps including those who use Ubuntu and the like for e-commerce transactions precisely because they correctly reason it's less at risk from malware infestation.
Windows banking Trojans such as Zeus and SpyEye are often spread using browser exploits and the like from compromised websites, running the infamous Blackhole Exploit Kit or similar. This is an effective strategy and more subtle than anything available to miscreants who fancy chancing their arm with Hand of Thief.
Kessem notes that aren’t significant exploit packs targeting Linux. Even those selling the malware admitted as much and told RSA researchers posing as potential buyers that email and social engineering was the best way available to trick open source fans into installing the malware.
The creations of Hand of Thief might be an "early sign of Linux becoming less secure as cybercrime migrates to the platform" but Kessem is still left wondering: "Without the ability to spread the malware as widely as on the Windows platform, the price tag seems hefty, and raises the question – will the Linux Trojan have the same value as its Windows counterparts?" ®