The appropriately named “Hand of Thief” trojan carries a formidable price tag – it’s now for sale in closed cybercrime communities for $2,000, with free updates, according to RSA cyber-intelligence expert Limor Kessem. The functionality includes form-grabbers and backdoor capabilities for now, but it’s expected that the trojan will have a new suite of web injections soon, she said. And so, it should graduate to become full-blown banking malware in the very near future.
At that point, the price is expected to rise to $3,000, plus a hefty $550 per major version release. But it’s unclear if it can command that kind of money for the long haul considering that, unlike KINS, it lacks the ability to spread the malware widely via the Windows platform.
“Although Hand of Thief comes to the underground at a time when commercial Trojans are high in demand, writing malware for the Linux OS is uncommon, and for good reason,” she said. “In comparison to Windows, Linux’s user base is smaller, considerably reducing the number of potential victims and thereby the potential fraud gains. Secondly, since Linux is open source, vulnerabilities are patched relatively quickly by the community of users.”
Thus, “these prices coincide with those quoted by developers who released similar malware for the Windows OS, which would make Hand of Thief relatively priced way above market value considering the relatively small user base of Linux,” Kessem said.
Also, it’s notable that there aren’t significant exploit packs targeting the Linux platform. “In fact, in a conversation with the malware’s sales agent, he himself suggested using email and social engineering as the infection vector,” Kessem noted. However, with recent recommendations to leave the supposedly insecure Windows OS for the safer Linux distributions, Hand of Thief could represent the early signs of Linux becoming less secure as cybercrime migrates to the platform, she said.
The unit behind the baddie appears to be a polished outfit: Kessem said that the commercial operation includes support/sales agents and software developers. So far, the group said that the trojan has been tested on 15 different Linux desktop distributions, including Ubuntu Fedora and Debian. As for desktop environments, the malware supports eight different environments, including Gnome and Kde.
RSA researchers managed to obtain the malware builder as well as the server side source code, and a preliminary analysis showed that the initial features include a form grabber for both HTTP and HTTPS sessions; supported browsers include Firefox, Google Chrome, as well as several other Linux-only browsers, such as Chromium, Aurora and Ice Weasel.
It also offers a block list preventing access to specified hosts (a similar deployment used by the Citadel trojan to isolate bots from security updates and anti-virus providers), and an anti-research tool box, which includes anti-VM, anti-sandbox and anti-debugger.
The developer has also written a basic administration panel for the trojan, allowing the botmaster to control the infected machines reporting to it. The panel shows a list of the bots, provides a querying interface, and run-of-the-mill bot management options.
The trojan’s infrastructure collects the stolen credentials and stores the information in a MySQL database. Captured data includes information such as timestamp, user agent, website visited and POST data. Hand of Thief also exhibits cookie-stealing functionality.