> The Linux operating system is designed to have high level of security. However, this year a few attempts to attack Web servers by backdoors redirecting traffic or malicious apache modules have been discovered. The aim of this Trojan is to compromise user desktop systems. With features designed to abuse sensitive browser information, it could advance Linux users a step forward in this specific environment. The same threatening environment in which Windows users have existed for years. The statement that the Linux platform is absolutely secure now seems even more illusive.<p>Once you have the ability to run code on a system (as someone dropping this trojan would), all bets are off. This has nothing to do with "security" and it's quite misleading to say that it does. I'm no fan of Linux from a security perspective, but this story has no impact on the security posture of a Linux system, period.
So first question came to mind: how do it inject code to processes? You need something for that: working exploit, CAP_SYS_PTRACE capability, you name it. Googling reveals just bunch of stupid articles that don't mention what you need to “install” that trojan.<p>According to <a href="http://www.techrepublic.com/blog/linux-and-open-source/hand-of-thief-malware-could-be-dangerous-if-you-install-it/" rel="nofollow">http://www.techrepublic.com/blog/linux-and-open-source/hand-...</a><p><pre><code> The good news is that Hand of Thief must have the root
(or sudo) password in order to install.
</code></pre>
So how would it be? “Yow, just add this line to sources.list and run apt-get cool-hd-wallpapers-2013”?<p>Hello there. I'm the unix virus. Please sudo run me.
> The statement that the Linux platform is absolutely secure now seems even more illusive.<p>What now? When did anyone ever claim Linux was "absolutely secure"? Second, how is an attack that depends on the user installing malicious software evidence of a security lapse in the system itself? If you're just going to run anything I tell you to run, I'll give you:<p>sudo rm -rf /
"The known version of Hanthie is starting processes using a fake Kernel process in user-space called [flush-8:0] and starting from the init process instead of the kernel process. So the current detection can be performed from user-space with the following script:<p><pre><code> if [[ $(ps -eaf|grep "\[flush" | tr -s " " |cut -d" " -f 3|grep ^1$) ]]; then echo "Infection suspected"; else echo "No infection suspected"; fi</code></pre>
"<p>from <a href="https://www.circl.lu/pub/tr-15/" rel="nofollow">https://www.circl.lu/pub/tr-15/</a>
Can anyone explain how the form grabbing for Chrome works? For a code base as large as Chrome's, how would one go about finding the function(s) involved with sending POST data? There was a thread on HN about a month ago about Hand of Thief which sparked my curiosity. I was able to write a crude form grabber for Firefox, but couldn't figure out how to do it for Chrome.<p>For Firefox, I know about PR_Write (There's some information for how to form grab Firefox under Windows which I found applicable). Since PR_Write function is in a shared library, you can use LD_PRELOAD to get Firefox to call your custom form-grabbing PR_Write, which can then call the original one.<p>Not trying to do anything malicious - just genuinely curious.
>Immediately after start, the Trojan checks if it does not run in a virtualized environment<p>What would be the performance implications of running everything under a virtual machine on a very light host OS? The idea had not previously occurred to me, but it seems like there would be a ton of advantages to that, including increased security.<p>I know that some compatibility issues will vary depending on VM software, but from a pure performance perspective, what kind of loss are we looking at?
So as it seems "commercial" malware is coming to the linux desktop: Are there already any good, free anti virus programs for linux?<p>I had a quick look at <a href="http://www.clamav.net/" rel="nofollow">http://www.clamav.net/</a> but it seems to target mainly windows stuff attached to mails and from some comments on the net isn't that reliable at detecting known malicous stuff ...
The article states "we observed an anti-monitoring check (no communication if wireshark or tcpdump is running)". Does anyone how how resistant it would be to logging of outbound connections with iptables?