[Novalug] "Hand of Thief Malware" targets linux

The Doctor drwho@virtadpt.net
Wed Aug 21 15:21:32 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/20/2013 11:31 AM, Jay Hart wrote:
> So if I read this right they have to hack the site you are going
> to, in order to steal your credentials.

That is not correct.  The workflow is very similar to Windows banking
trojans:

Someone e-mails you something enticing and gets you to double-click on
it from your desktop environment, getting you to execute it.  From the
article,  "...suggested using email and social engineering as the
infection vector."

The trojan seems to grab your browser's cookie database, and probably
your saved passwords database.  It explicitly hooks your browser
somehow (not sure how, I'd love to get my hands on a sample of this
beastie for my collection) and watches for you to log into banking
sites, whereupon it grabs your credentials.

It seems to hook the resolver to prevent you from visiting any AV
sites.  It explicitly does not tamper with /etc/resolv.conf (which
would be detectable because NetworkManager would pitch a fit and
interfere with normal operation).

The attack vector is really no different from hanging out on IRC in
the 90's and blindly running commands or shell scripts that someone
gave you in #linux or #linuxhelp (before the ops started banning
people who tricked people into running `sudo rm -rf /` without mercy).

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Truth doesn't have anybody to answer to." --S. John Ross

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIVEzwACgkQO9j/K4B7F8G7TQCdFTJ+T3s9QhUIt5RLKK4gcJ9y
QOAAnRkCkpOzX9mG5bZe+iJFiKHc7T6U
=zN6j
-----END PGP SIGNATURE-----



More information about the Novalug mailing list