

Linux Trojan “Hand of Thief” - 16s
https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/

======
daeken
> The Linux operating system is designed to have high level of security.
> However, this year a few attempts to attack Web servers by backdoors
> redirecting traffic or malicious apache modules have been discovered. The
> aim of this Trojan is to compromise user desktop systems. With features
> designed to abuse sensitive browser information, it could advance Linux
> users a step forward in this specific environment. The same threatening
> environment in which Windows users have existed for years. The statement
> that the Linux platform is absolutely secure now seems even more illusive.

Once you have the ability to run code on a system (as someone dropping this
trojan would), all bets are off. This has nothing to do with "security" and
it's quite misleading to say that it does. I'm no fan of Linux from a security
perspective, but this story has no impact on the security posture of a Linux
system, period.

~~~
willvarfar
Bets aren't off. Look at what Chrome, NaCL does, or how iOS and Symbian (yeah)
and Android (eh Linux there actually) isolate.

Privilege escalation bugs are getting rarer.

If Ubuntu put the browser in a LXC etc things could move forward.

Bets not off! We should carry on trying!

~~~
pmelendez
Please correct me if I am wrong, but I think all the OS's that you referred
run apps on sandboxes with strong limitations on the file system access. If
that is the case then the compromises might not worth it on desktops

~~~
gcr
If I'm not mistaken, Ubuntu ships Firefox with an AppArmor profile that
restricts it by default.

(Question for those in the know: what exactly does it prevent firefox from
doing?)

~~~
willvarfar
Yes it does. But I want defense in depth: I want it contained, I want OpenBSD-
style randomisations and so on.

------
lelf
So first question came to mind: how do it inject code to processes? You need
something for that: working exploit, CAP_SYS_PTRACE capability, you name it.
Googling reveals just bunch of stupid articles that don't mention what you
need to “install” that trojan.

According to [http://www.techrepublic.com/blog/linux-and-open-
source/hand-...](http://www.techrepublic.com/blog/linux-and-open-source/hand-
of-thief-malware-could-be-dangerous-if-you-install-it/)

    
    
      The good news is that Hand of Thief must have the root
      (or sudo) password in order to install.
    

So how would it be? “Yow, just add this line to sources.list and run apt-get
cool-hd-wallpapers-2013”?

Hello there. I'm the unix virus. Please sudo run me.

~~~
chrissnell
Think about how much software is blindly cloned from Github and executed by
the unaware without so much as a look at the source. That's only one vector.

~~~
jvreeland
Yeah but none of the software I blindly download from any source gets run as
root.

~~~
arjie
Can't guarantee that, can you? Say you run it as non-root and it sits there
waiting for 'sudo * \n' and captures whatever you type after. Your non-root
software could then execute itself with sudo using the password that it's
captured.

~~~
superuser2
Don't you need root to read keystrokes not being sent to you?

~~~
ori_b
Not under X11. See `xev -id $WINDOW_ID` for a demonstration.

There's the XACE (X11 Access Control Extension) that tries to make it harder
to snoop, but I don't believe that it's enabled by default in most
distributions.

~~~
jebblue
I tried this, I started gedit then xwininfo to get the window id then xev -id
and then started typing in gedit. I saw event information but didn't see what
characters were being typed so what's the point you're trying to make?

~~~
FreeFull
I do see what characters are getting typed when I do the same thing. For
example:

    
    
        KeyPress event, serial 28, synthetic NO, window 0x2000003,
            root 0x2b7, subw 0x0, time 322414662, (225,283), root:(1057,269),
            state 0x0, keycode 26 (keysym 0x65, e), same_screen YES,
            XLookupString gives 1 bytes: (65) "e"
            XmbLookupString gives 1 bytes: (65) "e"
            XFilterEvent returns: False

~~~
jebblue
I barely see half that information so something's different about how we're
doing it. I'm Ubuntu 12.04 btw.

~~~
FreeFull
Do you see all the information when you let xev make its own window rather
than look at a different window?

------
Arnor
> The statement that the Linux platform is absolutely secure now seems even
> more illusive.

What now? When did anyone ever claim Linux was "absolutely secure"? Second,
how is an attack that depends on the user installing malicious software
evidence of a security lapse in the system itself? If you're just going to run
anything I tell you to run, I'll give you:

sudo rm -rf /

~~~
cLeEOGPw
I am not an expert on linux, but I always assumed there are less malware first
because much more people are using windows - target audience much bigger,
second - malware creators wouldn't want to create viruses for the systems they
use.

~~~
Arnor
Linux certainly is not immune to malware in general or even `viruses` in
particular, but a virus isn't a very effective means of attacking "Linux."
While it's usually used as a catch all for any malware, a virus is a specific
type of malware. It needs to be able to infect a machine then spread. Most
Linux installations use a security model that requires an administrative (root
or sudo) password to install software. The biggest challenge that virus
authors have when targeting "Linux" is the wide range of distros.

When you target Windoze you can write a .exe file and convince your victim to
execute it. What type of file would you use to attack Linux users? If they use
RPM, you could use a .RPM file. If they use Debian or Ubuntu, you could
provide a .deb file. If you are attempting to send your virus to every email
address in the victim's address book, you would need to know the package
manager of the victim before deciding which attack package to distribute.
Certainly, you could distribute the package as a script which determines the
OS then grabs the appropriate package from a repository and installs it, but
then you're exposing a lot of information about your attack to every victim.
Eventually someone catches it.

So no Linux is not immune to viruses, but it's more the platform than the
audience that prevents these attacks. When you want to attack Linux users, use
a rootkit instead. Actually... please don't attack Linux users, there are
enough Windoze users out there, and you shouldn't attack them either...
because... ethics

------
babuskov
I read the article twice, but failed to find the attack vector. How would you
get infected by this, short of running it yourself manually?

~~~
Shish2k
It's a trojan, not a worm

[http://en.wikipedia.org/wiki/Trojan_horse_(computing)](http://en.wikipedia.org/wiki/Trojan_horse_\(computing\))
[http://en.wikipedia.org/wiki/Computer_worm](http://en.wikipedia.org/wiki/Computer_worm)

~~~
concernedctzn
That should be obvious from reading the linked article, and I think someone
asking for the attack vector would know this as well. It is a valid question,
we know that people are tricked into installing the trojan but every article
about this so far has been light on details as to how they are tricked. A
browser exploit, malicious software repository, no confirmation on anything so
far.

------
adulau
"The known version of Hanthie is starting processes using a fake Kernel
process in user-space called [flush-8:0] and starting from the init process
instead of the kernel process. So the current detection can be performed from
user-space with the following script:

    
    
            if [[ $(ps -eaf|grep "\[flush" | tr -s " "  |cut -d" " -f 3|grep ^1$) ]];   then echo "Infection suspected";   else echo "No infection suspected"; fi

"

from [https://www.circl.lu/pub/tr-15/](https://www.circl.lu/pub/tr-15/)

------
WizzleKake
Can anyone explain how the form grabbing for Chrome works? For a code base as
large as Chrome's, how would one go about finding the function(s) involved
with sending POST data? There was a thread on HN about a month ago about Hand
of Thief which sparked my curiosity. I was able to write a crude form grabber
for Firefox, but couldn't figure out how to do it for Chrome.

For Firefox, I know about PR_Write (There's some information for how to form
grab Firefox under Windows which I found applicable). Since PR_Write function
is in a shared library, you can use LD_PRELOAD to get Firefox to call your
custom form-grabbing PR_Write, which can then call the original one.

Not trying to do anything malicious - just genuinely curious.

~~~
revelation
This applies if the function you are looking for is not easily accessible,
i.e. not an exported symbol in some shared library.

You find the function you are interested in in Chromes code base, then look
for it in the compiled binary or library its located in (with debug symbols,
usually). You build a pattern from the functions code bytes. You then inject
your evil library into the target process (also through LD_PRELOAD, but there
are tons of ways) and have it search in the process memory for the function
from the bytes you acquired previously. You temporarily change the page
protections and overwrite the first few bytes of the target function to
instead jump directly into your code.

You have to be careful with calling conventions or you will corrupt the stack,
and often you want to preserve the original bytes of the function such that
you can call into it from your replacement function.

This is what is called a hook, or a detour. Microsoft even has a library for
this that does all of the previous in a neat package
([http://research.microsoft.com/en-
us/projects/detours/](http://research.microsoft.com/en-us/projects/detours/)),
but the basic redirection is very simple.

------
mistercow
>Immediately after start, the Trojan checks if it does not run in a
virtualized environment

What would be the performance implications of running everything under a
virtual machine on a very light host OS? The idea had not previously occurred
to me, but it seems like there would be a ton of advantages to that, including
increased security.

I know that some compatibility issues will vary depending on VM software, but
from a pure performance perspective, what kind of loss are we looking at?

~~~
gaius
These days, not much, 5-10%. Most VMs "cheat" and are effectively
paravirtualized (e.g. using guest additions that talk to the hypervisor
directly).

~~~
mistercow
I played some with VirtualBox and an Ubuntu install, and it looks like the
graphics support really isn't there yet (WebGL didn't work at all, for
example), but I might give it another shot with a non-free alternative at some
point.

------
queeerkopf
So as it seems "commercial" malware is coming to the linux desktop: Are there
already any good, free anti virus programs for linux?

I had a quick look at [http://www.clamav.net/](http://www.clamav.net/) but it
seems to target mainly windows stuff attached to mails and from some comments
on the net isn't that reliable at detecting known malicous stuff ...

~~~
krondor
I haven't looked in awhile, but ClamAV actually did very well in some third
party virus tests. You shouldn't need a Linux specific product. Good AV
systems detect viruses for multiple platforms irregardless of the host
performing the scan. It's actually really hard to gauge AV effectiveness, so
take those published tests with some healthy skepticism. ClamAV detects Linux
and Windows viruses, but does not include an on access scanner. It's usually
fired off manually or hooked via other programs (spam scanners).

There is however, a fuse FS ClamFS
[http://clamfs.sourceforge.net/](http://clamfs.sourceforge.net/) that provides
on access scanning for Linux with ClamAV. I have no idea how much overhead
that incurs, but it probably isn't a small amount. A lot of enterprise
offerings provide on access scanning (McAfee, F-Prot, Kaspersky, and more).

I'd imagine there are Firefox and Chrome add ons as well.

------
gcb0
TIL: create a scsi device named after the pattern virtual box uses and be
immune to all trojans.

------
mb0
The article states "we observed an anti-monitoring check (no communication if
wireshark or tcpdump is running)". Does anyone how how resistant it would be
to logging of outbound connections with iptables?

------
chmike
How do we detect it's presence ?

~~~
orclev
Not entirely sure about detection, but it seems like you could just add some
"fake" indicators to your distro to make it look like it's a VM instance and
the trojan will helpfully delete itself.

------
segmondy
Much ado about nothing.

