Hand of Thief: Linux already has its desktop Trojan.


Finally, we can say that we have significant enough market share for malware makers to pay attention to us. Only in this case it is not malware for Android, but malware for Linux distributions for the desktop.

Hand of Thief is a banking Trojan developed in Russia that was successfully tested on 15 distributions including Ubuntu, Debian and Fedora and on 8 desktop environments (GNOME and KDE included obviously) and can be sneaked into any browser (including Firefox and Chrome)

And what evils does he do? A banking Trojan is like a keylogger designed to detect string patterns. Steal cookies, collect computer and browsing data even using HTTPS, and block infected machines from accessing sites that offer security updates. What is not clear is how it manages to infect its victims (they speak of links and form grabbing, but a specific path or vulnerability is not specified).

It is also mentioned that malware can be sold (as if it were software for everyday use) in certain underground forums for 2000 dollars, a fairly high price compared to the price paid for malware for Windows, but reasonable considering the ease of compromising Windows .




The content of the article adheres to our principles of editorial ethics. To report an error click here!.

53 comments, leave yours

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   staff said

    I was just reading the news in the source and the only thing that generated me was a smile.
    I would not pay 2,000 dollars for a malware that in the end has to be installed by the user with his password to work 🙂

    1.    eliotime3000 said

      And on top of that, you can see it running when you run the TOP process viewer.

  2.   cabj said

    I have to be careful with AUR

  3.   babel said

    The good thing about Linux is that its users are usually more aware of the implications of installing external software. Those who use Linux in an amateur way or they read or believe that without caution something can happen to them (as cabj says about AUR).

  4.   Erick said

    I think that the truth is that they are paying us so much attention and on the other hand it is very difficult to do in Linux that someone pays 2,000 dollars just for a little information, I do not think it will be very commercial, but you always have to beware.

  5.   cat said

    I suppose that if I do not commit the idiocy of falling into social engineering tricks, I have installed a Firewall and I am careful with what I install from AUR / Launchpad I do not have to worry, right?

    1.    diazepam said

      I do not think so.

      1.    elhui2 said

        @Diazepan smells like a yellow note lol I don't like it, even if you don't have a firewall or antivirus (I've never installed one for linux) and the permissions system ??? if in windows and mac it asks every time something tries to enter the system and save something, why should it enter linux which is less permissive ??? for me that are lies uu

      2.    yukiteru said

        The note is yellowish for others, because as it is well known in GNU / Linux, unless you spend very lightly installing software from sites or repositories of dubious origin, there is no possibility that this will affect you, and the reason is Very simply, the "Trojan virus" cannot infect the machine unless you give it the sudo password (insert laugh here).

        Let's not let anyone with some prudence and intelligence install a program that will do miracles with your Linux or that promises to make you rich overnight, since as the same "sales advisor" of the Trojan says: "I suggest the use of email and social engineering as an infection vector. » so @gato, yes, you are absolutely right with your comment.

        1.    cat said

          I say that, the only antivirus is the user, it depends on the factory if it is good or bad (a verse xD).

          1.    eliotime3000 said

            I guess it's one of those Russian scams.

          2.    David Gómez said

            Most turn out bad.

    2.    myself said

      Don't worry, most AUR programs are supervised by other users, just take a look at the PKGBUILD download URL.

  6.   David said

    Well, the truth is that Linux is gaining more and more market, and 2000 dollars is actually quite low considering that most servers in the world are Linux, if someone has access to the information contained in them, it can cause quite significant damage such as for example the banking area ... but as always happens later, the entire community has to resolve this issue ... xD

  7.   Jesus Israel Perales Martinez said

    I don't know, but that just smells like rumors to me xD, I still don't understand how it infected me, I don't understand it, I already read almost all the blogs that talk about the Trojan but its operation is not clear to me, a window will pop up telling me to enter your root password to be able to steal your data? Will it kill the firewalld, will it leave me unable to use any of the tty? , and as I read in the comments of the note in English where it was published, they were saying that it is very difficult for GNU users to fall into these types of attacks, the truth is that they have another culture of Internet browsing if you can call it that , the absent-minded is not lacking 😛

    1.    eliotime3000 said

      For now, what is known about this "Trojan" is that it is nothing more and nothing less than a keylogger with a backdoor.

  8.   merlin the debianite said

    Have and where do you get the software, how does it bypass the root password, the firewall, and how does it disable security updates, does it delete sources.list or what? nobody says how it works, they are crazy. If it does all that minimum, it would have to know how to violate the root.

    1.    eliotime3000 said

      True. Also, I have seen quite a few programs that use SUDO to be able to install dependencies (even Steam uses it), making the system a little more vulnerable and therefore I prefer to use root over sudo.

      If it breaches root and daemons the kernel, then use BSD. For now, I did not see any relevant vulnerabilities that make you distrust that system.

  9.   majority said

    How does a virus affect Linux, if it does not have our root, how would it affect the kernel and the different daemons in services that are always running the system ... I had time with Linux and never had problems in that sense. The most that can happen is that it affects the system itself with some configuration ...

    1.    merlin the debianite said

      you are right the user is the biggest weakness not only of linux but of any operating system.
      If not, look that almost 5 years ago I ignorantly executed this command in / home and /:
      dd if = / dev / zero of = / dev / hdd bs = 8192

      You can imagine what happened next.

      1.    eliotime3000 said

        And if you don't password root it anyway, it would generate a passkey to proceed with sensitive functions like daemons.

  10.   xbd know how to learn said

    mmmm but viruses have already appeared for linux, but trojans have not noticed me.
    puff I don't remember what year it was 2009-2012 I don't remember what year it was, that 50 viruses were released for Linux and it took about 7 months to resolve and install all the necessary patches.

    Today in 2013 I see something new thanks from linux, I almost came to think that linux is indestructible.


    PS: It would be an oṕcion that you will talk a little about FREE BSD to see the opinion of the experts.

    1.    Ankh said

      If you have swung with that one. There were no viruses for linux in those years. And I doubt that more than 10 have been made in all of history. In addition, here we talk about Trojans, its programming is not more complex and does not depend on system failures, it is just one more application with functionalities that the user is unaware of.

      1.    eliotime3000 said

        In that I agree with you.

    2.    Giskard said

      Friend, Posix systems do not support viruses. A virus, by definition, is SELF-REPELLENT, and that's just out of context on posix systems.
      Malware all you want, because there it depends on the clumsiness and idiocy of the user.

      1.    yukiteru said

        +1 man, these types of notes are nothing more than tabloid at their finest.

    3.    yukiteru said

      50 Linux viruses and they took 7 months to patch? LOL!

      Are you sure you use Linux or Windows?

      In my life I have heard viruses for Linux and I hope I do not hear it 😀

  11.   eliotime3000 said

    If that malware requires SUDO to access, then I'm safe [Ok, no].

    Well, I hope that among all the known distros they make their respective reviews to release their updates as soon as possible and thus avoid finding exploits.

  12.   ka0s said

    I was amused by this news when I saw it on the cover, for the simple fact that a few months ago I was testing the clamtk antivirus. When performing a recursive scan of the .mozilla directory, my surprise was that my browser was infected with malware such as "phishing" and something related to "bank".

    For this reason, reading this news has been funny to me, for that reason I invite you to analyze your team out of curiosity.

    1.    yukiteru said

      Phishing generally does not work like this, since its main objective is to make the victim provide the desired information himself. The result that clamtk threw you could be because in your temps there was some script code of some phishing that runs on the internet, which are many, but fighting this evil is very simple, every time you enter your bank page or some private service , clean your temporary and problem solved.

      Tools like HTTPS Everywhere, WOT and NoScript will make your system more secure against this type of thing, another thing that helps and a lot is simply to verify that the addresses of the web pages you visit before providing information.

      1.    eliotime3000 said

        The most tangible tool for these cases is to enter unknown websites in hidden mode (incognito in Chrome, private tab in Opera and Firefox / Iceweasel). That practically worked for my brother and they never robbed him again.

        1.    yukiteru said

          Well yes, Incognito mode has been a great tool in terms of security in this matter.

  13.   ejmalfatti said

    They found out what happened with lavabit.com, enter the site and see. I went to read my mail, and chann… Is it because of the Edward Snowden case?

      1.    diazepam said

        Yes, here is an alternative that is paid but that offers the same and is based in Switzerland

        1.    eliotime3000 said

          Good option, although to my bad luck (rather, my bad choice), more than 8 years ago I sacrificed my privacy.

  14.   dale it said

    This is getting a lot of hype about this and it's just a show that fucks you up, like any other. The difference is that this one wants to hurt you.

    The one who does not get it is that he believes that programs are created by themselves.

  15.   eco-slacker said

    I think it is difficult that one day we will see Linux as full of malware as Windows, but the snowball has started to run ... although a little slow.
    We must always be careful when using our equipment, it does not matter if we have Linux, Windows, OSX, etc.

    1.    eliotime3000 said

      Obviously, since it is protected with user permissions, and the truth is that it is quite common to put these failed virus attempts.

      Furthermore, the Linux kernel is a benchmark in quality when compared to the BSD kernel.

  16.   Sergio E. Duran said

    I just made a request to Linus Torvalds from his Google+ if he can correct this vulnerability in the new Linux kernel 3.11 to see if he can so that we can live without the hand of the thief stalking us closely 🙂

    1.    yukiteru said

      At least Linus must be crashing with laughter with that comment 😀

  17.   eliotime3000 said

    I don't know if this is the first really working virus for Linux or is it the most convincing internet scam that has been created in recent years.

    1.    yukiteru said

      I argue that it is a scam, a very far-fetched one indeed.

      1.    eliotime3000 said

        That must be. Let's see if they can figure it out.

  18.   [750mhz] said

    Malware for UNIX-based systems has been around for a long time. Be it backdoors, rootkits or keyloggers. But one generally installs them after compromising the system.


  19.   Angel_Le_Blanc said

    Well, as they say, the weakest part in the security of the operating system is the user.

    1.    eliotime3000 said

      According to Angel Le Blanc.

  20.   martin said

    pucha, it leaves me thinking and maybe the bad times will come

    1.    eliotime3000 said

      Don't worry, In GNU / Linux, viruses practically don't work because of the permissions system that is in the system.

  21.   Diego said

    Malware on GNU / Linux?


  22.   french said

    Well, I think that everything also depends on the user and the precautions they have, if one remains alert there is no need to worry