Lots of coverage this week relating to ‘Hand of Thief’, the latest black-market Trojan designed for any aspiring cyber-fraudster – yours for just $2000.
It’s concerning news in that the threat to your personal data – predominantly your internet banking details – is an increasingly marketable commodity, but for the IT community the additional interest in this particular piece of malware is that it has been engineered specifically for Linux. Estimates suggest that Linux as a desktop OS accounts for less than 1% of the worlds’ total. Of course, Linux is very popular as a host/server OS, but Hand of Thief is squarely intended to intercept a user’s browser interactions. It may be a proportionally small pool of potential targets but at least you get 100% of it – the quantity of malware targeted on the Linux OS is negligibly tiny compared to the tens of millions of newly added malware variants being discovered in the Windows world every year.
What Would Walter White Do?
The market for Hand of Thief seems to be modelled in the image of Breaking Bad’s Walter White’s structure for his blue crystal meth market (I’m sure I don’t need to explain what Breaking Bad is?). At the top, there is a development lab manufacturing the malware, and the guys engineering the code, like Walter and his trainee cooks, seem satisfied just to produce and sell product. Their customers will either be the criminal gangs looking to use the malware to steal banking information, or there could even be a further tier of middle-men operating the phishing network to distribute the malware and gather account codes and passwords to sell onto other groups. These will be the guys actually logging in and transferring the cash out.
The timing is interesting too – with the Citadel bust just being made public, the headline and moral of the story should have been that the perpetrators have just been jailed, but maybe the estimated $500M stolen was actually the more eye-catching element of the story? So instead of acting as a warning and deterrent to other cybercriminals, the story could just as likely have inspired even more to “get rich or die tryin’”, just like the notorious Albert Gonzalez who held this as his motto when he undertook his various scams targeting cardholder data theft.
Linux Users – Welcome to the New Wild West
The only real conclusion is that the inevitable proliferation of cybercrime-enabling malware continues, and that the previous ‘high ground’ afforded by the Non-Windows Operating Systems seems now to be diminishing. The good news is that host intrusion detection system (HIDS) technology is also progressing – real-time FIM is already available for Mac OS X, and nearly all other contemporary Linux and Unix, including Solaris, Ubuntu, RedHat and Suse. This means that there is already HIDS technology to detect malware, even Zero Day attacks that will evade anti-virus systems. Furthermore, with prevention always being the ideal strategy, hardening checklists can now be applied using the same file integrity monitoring technology to audit Linux hosts and Desktops to ensure most vulnerabilities are closed down and kept out. And of course, vigilance is always going to be required – phishing attacks have doubled in the last 12 months and this all points to a potentially upwards spiraling trend.