
“Hand of Thief” Trojan Targets Linux - tomrod
https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/
======
ds9
Also written up on Arstechnica (
[http://arstechnica.com/security/2013/08/hand-of-thief-
bankin...](http://arstechnica.com/security/2013/08/hand-of-thief-banking-
trojan-doesnt-do-windows-but-it-does-linux/) )

It is not a real remote exploit due to any flaw in Linux, rather it is
something the purveyors trick people into installing via "social engineering".

~~~
bitwize
Don't copy and paste commands into your shell, kids.

~~~
imurray
Even if they look safe: [http://thejh.net/misc/website-terminal-copy-
paste](http://thejh.net/misc/website-terminal-copy-paste)

~~~
betterunix
Indeed. This is one of the reasons I use the SELinux sandbox to run my
browser: there are a lot of ways that a browser could become a vulnerability.
I would like to think I would always remember not to copy/paste from a website
into my terminal, but the truth is that I could easily forget -- if I were in
a hurry, if I knew the guy who made the website (but did not stop to think
that someone might have hacked into the server), etc. Unfortunately it is hard
to advise that _everyone_ do this; the sandbox is very restrictive and
basically incompatible with how most people use their computers.

~~~
rufugee
Do you have any write-ups on how one would accomplish this SELinux sandbox for
your browser? Thanks!

~~~
betterunix
[http://danwalsh.livejournal.com/31146.html](http://danwalsh.livejournal.com/31146.html)

One very simple way to get a sandboxed browser is to run this command (my
irony meter is going off the charts here):

sandbox -X -t sandbox_web_t firefox

However, that will prevent any persistence between sessions, so you probably
want to do something more like this:

sandbox -X -H /path/to/some/directory -t sandbox_web_t firefox

My recommendation is that you read the man pages and experiment a bit.

~~~
dredmorbius
_my irony meter is going off the charts here_

Nothing wrong with showing commands and examples to be used. It's the cut-and-
paste aspect that's an issue.

My first action was to search through my package repos (Debian) to see if that
sandbox command is known to my packaging system (it's not, hrm...).

------
bediger4000
Does this mean that Linux has arrived as a desktop that's worth exploiting?

~~~
tomrod
That was my takeaway.

------
adulau
The article is missing the MD5 hashes of the malware sample. There is an old
adage from malware reverser: "MD5 or it didn't happen".

------
simgidacav
This website has got a wrong and expired SSL certificates.

~~~
Fuxy
Yes... accept it so we can hack you next time more easily ;))

------
dmix
Working link: [http://www.zdnet.com/linux-desktop-trojan-hand-of-thief-
stea...](http://www.zdnet.com/linux-desktop-trojan-hand-of-thief-steals-
in-7000019175/)

------
greglindahl
Given the high price relative to the number of consumers that might be
attacked with this software, I'd bet that it will mostly be purchased by
people who want to do spear fishing.

------
WizzleKake
Anyone know what technique this package uses to grab information from forms?

LD_PRELOAD? ptrace?

I googled but only found ways of doing this that are Win32-specific.

