“Hand of Thief” banking trojan doesn’t do Windows—but it does Linux

“Hand of Thief” banking trojan doesn’t do Windows—but it does Linux.

-- Tom

 

link
Sounds ominous. Then again, email infection requires stupidity (plaintext only=>meh) which leaves social engineering.
Not too worried, yet.

 

In Linux, you have to run a downloaded application as root. It makes it difficult though not impossible for malware to run on a Unix system.

And a Linux trojan can't infect Windows.

 

Exactly. No script on the Web Browser too and click-to-play flash. Done. If you are really wanting security than go for GRSecurity/PaX.

 

You can run an application without root.

 

When its installed. In Linux distros, installation of new software and upgrades is always done from a centralized repository. That way, the user won't be tricked into installing untrusted software on the system. Everything you need is in one place. That's different from what users coming from Windows are used to.

 

Why would you need root to execute a file? I can download any file and execute it without root.

Yes, if I want to install software through apt, of course I need root. And if malware wants access to root files it needs root. But you can definitely do quite a lot without root.

 

This is correct. If you download a native linux binary it can execute as long as it has the proper permissions(chmod a+x for example). Not to mention if an exploit is used it would have the same rights as the application that was exploited. Which if is plenty in most situations, after that we run into privilege escalation exploits where the trojan can jump from limited privileges to full root privileges.

Keep up to date - run with plugins on click-to-play and run with noscript. If worried run with a hardened kernel.

 

RBAC is a nice solution, as even root is limited, and you'd have to enter your administrative role to get the regular equivalent of root.

But yeah, the only reason social engineerign is harder on Linux is because most users install from repos and that's it. But the OS itself is not, by default, so much more secure. Maybe a few specific programs though (Chrome on Linux destroys Chrome on Windows).

 

What be big deal?
Mrk

 

That is why repos exist - to eliminate users from running any program that's not trusted. If they can't install from the repos, that eliminates 99% of possible malware vectors.

That's a reason very few viruses and trojans ever get written for Unix systems. Plus the market isn't large enough to justify compromising these systems. As Mrvonic has rightly pointed out this morning, "what be big deal?" Indeed!

 

That is assuming a) that the user can't be fooled into installing something malicious, and b) that social engineering does in fact enter into it.

Let's think on this a bit. How can an arbitrary binary or script be executed? Via an exploit in some application. With what privileges will it run? The privileges of the exploited process. What are those privileges? For most readily exploitable processes on most distros, those would be the privileges of the user in question (i.e. discretionary access control). So a malicious program has full access to the user's files, and probably their screen, sound card, etc... Just like on Windows.

At this point you might say, "Wait a minute, it's not root, so it can't hide itself." And you'd (probably) be right. But it doesn't have to hide itself, if it's a banking trojan; it only has to remain unnoticed long enough to snag your PIN.

tl;dr As long as there are vulnerable applications on Linux, it will remain vulnerable as a desktop platform. And as it gets more popular, that vulnerability will become more of a problem.

I'll grant that the state of the art re mandatory access control is better on Linux than on Windows, but who actually uses MAC? And of those who do, who uses it properly?

 

You've never added an unofficial PPA? or installed sotware outside of repos?

The only reason there are few attacks on Linux desktop users is because of market.

You are correct that the repos make things much better, but users can be tricked.

@GJ,

I think most distros at least have some profiles for SELinux/Apparmor.

 

Some do. I'm not aware of any that have a good default profile for Firefox, or for e.g. PDF readers. And AppArmor I'm not sure is all that helpful on desktops anyway, given the vulnerabilities inherent in the design of the X server. AppArmor won't protect you from keylogging for instance.

Linux does have kinda-sorta-okay memory protection (ASLR, etc.) but that can't be counted on to cover logical flaws in desktop programs, which are probably common. Big programs like Firefox offer plenty of hiding places for nasty bugs.

I would say the situation is still fairly crappy.

 

Ubuntu has its default PDF reader in an apparmor profile I believe, Evince.

Keylogging is definitely an issue though.

I'd consider the situation better than Windows, certainly. But not satisfactory.

One nice thing is that Mir/Wayland should solve the keylogging issue, at least across user contexts.

 

People do extend the functionality of their distro. Most have the minimal standard applications. If the Linux desktop become as popular as Windows, more attacks would be written for it. Exactly, why is why users typically are not allowed to run Linux as root in the first place. A Linux distro can be hardened using available tools - and most ship with the firewall turned on by default.

 

Its more satisfactory than in Windows. I have never had to run AV once on Linux. Its available but its primarily present to protect Windows users from infected attachments that could be sent from a Linux system. The only things you need on Unix is common sense, safe computing practices and keep on your firewall.

 

... Clearly you did not read my post.

The current situation of Linux as a relatively malware-free haven is mostly due to its small user base.

 

No arguments there.
It seems likely that (given the plethora of different programs in the repos as in PDF readers, media players, etc) browsers are the common target in the linux user base, so adding Noscript/ScriptSafe, as x942 already mentioned will still offer a nice first line of defense.
Prevention of 'arbitrary' content can also be easily achieved using an adblocker.

-And regarding adding PPAs or anything non-repo, every linux user should know (s)he's left the comfort zone and requires a 'scrutinizing mindset' (or whatever the more appropriate term is..).

 

Most PDF readers are actually based on the same library (poppler), so they might not be so hard to exploit.

Media players might be a more challenging target, but VLC and GStreamer based players are both pretty common I think. A vulnerability in ffmpeg would also be nasty, since it could maybe be used to exploit the video thumbnailing functionality in Dolphin or Nautilus.

Speaking of which, the same image libraries are used almost everywhere AFAIK.

Other thoughts:

- As Hungry Man has pointed out before, XChat is unmaintained and probably vulnerable.

- FDO desktop files might be possible to exploit. Could the desktop file parser be fooled? Could it be forced to run an arbitrary shell command instead of loading an icon, perhaps?

- Hey, here's a good one: many window managers use XML for configuration. A vulnerability in one of the various XML parsers might allow for a trojaned WM theme that executed arbitrary code.

- Another good one: Vim modeline support is disabled in most distros specifically because it can be used to create trojaned text files, which will execute an arbitrary command when opened in Vim.

The reality is that anything that does input parsing is theoretically vulnerable. 99% of the time a desktop user doesn't have to worry about this, because blackhats like to choose the path of least resistance (i.e. browser exploits and social engineering). OTOH, as OSes' native defenses against exploits get more advanced, and exploit kits get more popular, more exotic exploits may become commonplace; and as Linux gets more popular, MAC frameworks may warrant more thought.

IMO the situation on Linux will eventually be similar to that on Windows right now, where staying secure requires at least some knowledge of the OS and of one's options for defense.

 

Yeah that's totally not possible on Windows. /s

 

@GJ,

Yes, there's quite a lot of attack surface once you're local on a system. Remote attack surface is there, of course, but it can easily be snipped down to just a few programs, and it's thankfully very easy to confine them all on Linux with MAC.

If Distros were ever put in the position (As Microsoft was years ago) where they were forced to deal with security they would have an easy time doing it - the tools all exist already, they can use them at any time.

So cost of exploitation would be significantly higher than on Windows since distros can take more responsibility for more applications than Windows can (through updating them and confining them with better tools) leaving attackers to more targeted attacks or social engineering.

As has been mentioned, most people use the software center/ repos, so social engineering is more difficult too.

Linux users would certainly have to deal with security threats, but the tools for securing Linux are already so advanced (way more than Windows tools), they just have to be used.

 

An analysis done by RSA shows that the uproar concerning this trojan was overrated.

 

The Ubuntu-based test machine did particularly well preventing the trojan from attaching to other processes with its built-in to the kernel ptrace scope protection mechanism

 

http://www.zdnet.com/linux-hot-bank-trojan-failed-malware-7000020436/