Dr. WEB warns of new Trojan for Linux

13th September 2013 | By Mouseworld Now Correspondent |

New Delhi, India, September 13, 2013: Dr.WEB, Russian developer of information security software, is warning users about a new malignant program for Linux which has been dubbed Linux.Hanthie. A thorough analysis showed that this Trojan (also known as the Hand of Thief) is equipped not only with a wide array malicious features but also can conceal itself from anti-viruses.

Currently, the malware is actively sold and purchased on underground hacker forums. It features anti-detection technologies and routines for its covert startup, does not require administrator privileges, and uses strong encryption (256-bit) for communicating with the control panel. The bot’s configuration file contains a large number of parameters for its flexible configuration.

When the Trojan is launched, it blocks access to sites from which anti-virus software and updates are downloaded. It also makes use of routines to impede its analysis and launch in isolated and virtual environments.

The latest version of Linux.Hanthie is unable to replicate itself, so its developers recommend that intruders employ social engineering techniques to spread it. The Trojan can operate under various Linux distributions including Ubuntu, Fedora and Debian and supports eight desktop environments such as GNOME and KDE.

Once the malicious program is launched, the Trojan installer checks whether its process or a virtual machine is already running in the system. Then Linux.Hanthie creates its startup file and places its copy into a directory on the disc. It also creates a shared executable library in the temp directory and attempts to inject its code into all running processes. If the malicious program cannot inject the code into any process, the temporary directory Linux.Hanthie starts a new executable, responsible only for communication with the command and control server, and deletes its original copy.

The Trojan incorporates several functional modules: one of them is a library that bears the greater part of its payload. The Trojan uses the library to inject the grabber into Mozilla Firefox, Google Chrome, Opera, Chromium and Ice Weasel. The grabber is employed to intercept HTTPS and HTTPS connections and send data, entered by users into boxes on web pages, to criminals. The library also performs backdoor tasks; the traffic for communication with the C&C server is encrypted.

The Trojan can execute several commands. The command ‘socks’ makes it launch a proxy server in the compromised system; the instruction ‘bind’ tells the Trojan to initiate a port listener script, and the directive ‘bc’ makes it connect to a remote server. The Trojan downloads and installs a new version upon receiving the command ‘update’ and removes itself upon getting the instruction ‘rm’.


© Mouseworld Now News Service

Tags: , , , , , , , , ,

Leave your comment

IMPORTANT! To be able to proceed, you need to solve the following simple math

What is 9 + 12 ?
Please leave these two fields as-is:

Mouseworldnow Videos
  • r chandrashekhar president nasscom
  • Anant Maheshwari, President, Microsoft India
  • Suresh_Vaswani-220 by 220

Channel News

  • Rashi Peripherals Kick-Starts SI Training Program For Partners more...
  • Toshiba Sends its Storage Partners to Bali Under its Foreign Trip Scheme more...
  • Cloudera Awards Top APAC Partners at annual Partner Summit more...
  • Rashi Peripherals Bags Indywood IT Excellence Award more...
  • Rashi Peripherals Conducts Multi-City Enterprise Partner Meet more...
Subscribe via email

Enter your email address:

What does the mouse ask?

Will the spurt in online video advertisement steal the twinkle from the TV ad platform?

View Results

Loading ... Loading ...
Newsletter Registration