Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

August 27th, 2013

Linux Trojan “Hand of Thief” ungloved

A new threat for the Linux platform was first mentioned on August 7th by RSA researchers, where it was dubbed Hand of Thief.  The two main capabilities of this Trojan are form-grabbing of Linux-specific browsers and entering a victim’s computer by a back-door. Moreover, it is empowered with features like anti-virtualization and anti-monitoring. With the level of overall sophistication Hand of Thief displays, it can be compared to infamous non-Windows threats such as the FlashBack Trojan for MacOsX platform discovered last year or Trojan Obad for Android from recent times.

A detailed analysis uncovers the following structure of the initial file with all parts after the dropper being encrypted (hexadecimal number displays starting offset of a block):

handofthief_scheme

Running the program on a native Linux system with parameter “-v” displays the version info “0.1.0.7″.

Dropper and Self-Protection

The dropper is obfuscated with the UPX packer so the executable is not available for a static analysis. We make it so by applying the original UPX program with parameter -d on a sole dropper part of the initial binary. The readability of almost all character strings is hardened by a XOR encryption with a varying 8-bit key. This is a very common property shared both among Windows and non-Windows Trojans.

Immediately after start, the Trojan checks if it does not run in a virtualized environment. Realization of this aim depends on virtualization software: To search for a substring “VBOX” and “VMware” in the listed SCSI devices (to suppress this check it is enough to unset read privileges on the file /proc/scsi/scsi ); to look for a substring “UML”,”PowerVM Lx86″, “QEMU” or “IBM/S390″ in /proc/cpuinfo file; to check an access to /proc/vz or /proc/bc which exist if OpenVZ kernel is running:

handofthief_is_under_vm

The presence of any of these signs leads to an early end of execution. The Trojan also exits if the root directory is chrooted by comparing particular lines in /proc/1/mountinfo and /proc/\<getpid()>/mountinfo. Chrooting is basically a security feature where a running process does not have access to the root directory but to another branch of a file system tree that acts as one.

Then it decrypts the config file appended at the end of the binary (starting on the offset 0×24244 with the length of 0x1E0) and it initializes its global variables with entries from the config file (values are resolved using regcomp, regexec and regfree command). We analyzed a sample with the following one (a private IP serving for C&C whispers that this bot is in debug process and not in the wild):

handofthief_config_txt

To achieve persistence after reboot, the Trojan is suspected to create a configuration file called system-firewall.desktop within the path ~/.config/autostart containing the following setting (%s is appropriately changed):

[Desktop Entry]
Encoding=UTF-8
Type=Application
Exec=%s
Terminal=false
Name=System Firewall
StartupNotify=false

The step that follows is the installation of modules containing the main functionality into the /tmp/ directory and changing access permissions with a command chroot with parameter -x. The procedure consists of mapping the binary into the memory and copying a relevant part to a buffer that is decrypted by AES with a 256bit key. For the executable of a length 24848 it is performed like this (the marked values denote the target file name, the starting offset in the binary and the access permission):

handofthief_drop_block

The shared object is injected in every process whose name does not contain substring gnome-session, dbus or pulseaudio. The injection is performed with a method similar to the one described on Blackhat 2001 by Shaun Clowes. The reimplementation is available on github.

Core Functionality

The shared object starts two threads. The first one is called aaa, and it listens to a command from C&C to execute an action: bc command triggers BackConnect daemon called p0stfix serves as a reverse shell with a victim connecting to a particular socket; bind command starts BindPort daemon called unix-daemon acting as a bind shell with an attacker receiving the content of an output of a shell (after the correct authentication); socks executes a proxy via custom implementation of SOCKS5 protocol. All these features are realized through embedded perl scripts. Another commands with names d_exec and update, and they would try an execution of newly downloaded files from a C&C server.

The second thread is denoted bbb. It performs the injection of the shared object starting on the offset 0x19CF4 into running browsers mapping space by the same method mentioned above. This serves as an initialization of the form-grabbing feature. Supported browsers are Chromium, Chrome and Firefox. The intervention of data submits of the Firefox browser is realized as the redirection of program flow of original libnspr40.so!PR_Write function to a custom implementation hPR_Write_ptr of Trojan:

handofthief_funct_patch

Intercepted data, statistics of bots execution, and command from C&C are all interpreted via a custom communication protocol based on AES encryption with 256bits keys combined with Base64 encoding:

handofthief_HTTP_encrypt_AES

Moreover, we observed an anti-monitoring check (no communication if wireshark or tcpdump is running):

handofthief_antimonitor

Finally, the exported function drow_image displays an about info in a form of nice ASCII art that confirms the creativity of the author (an owl sitting on a tree can be recognized):

handofthief_drow_image

Conclusion
The Linux operating system is designed to have high level of security. However, this year a few attempts to attack Web servers by backdoors redirecting traffic or malicious apache modules have been discovered. The aim of this Trojan is to compromise user desktop systems. With features designed to abuse sensitive browser information, it could advance Linux users a step forward in this specific environment. The same threatening environment in which Windows users have existed for years. The statement that the Linux platform is absolutely secure now seems even more illusive.

Sources

SHA256 hashes of some selected samples:

Hand of Thief Initial Binary BD92CE74844B1DDFDD1B61EAC86ABE7140D38E EDF9C1B06FB7FBF446F6830391 ELF:Hanthie-B [Trj]
Hand of Thief Shared Object 2ACF2BC72A2095A29BB4C02E3CD95D12E3B4F5 9D2E7391D9BCBBA9F3142B40AE ELF:Hanthie-A [Trj]
Hand of Thief Backdoor Executable 753DC7CD036BDBAC772A90FB3478B3CCF22BEC 70EE4BD2F55DEC2041E9482017 ELF:Hanthie-C [Trj]
Hand of Thief Formgrabber B794CE9E7291FE822B0E1F1804BD5A9A2EFC30 4A1E2870699C60EF5083C7BAC2 ELF:Hanthie-D [Trj]
Hand of Thief BackConnect Script 4B0CC15B24E38EC14E6D044583992626DD8C72 A4255B9614BE46B1B4EEFA41D7 Perl:Hanthie-A [Trj]

Acknowledgements

Thanks goes to my colleague, Pavel Šrámek, for discussions about the Linux platform.

Add your comments here, or read what others have to say on the AVAST Facebook page.

 

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on Facebook, Twitter, Google+ and Instagram.

  1. sector3it
    August 28th, 2013 at 22:25 | #1

    Good write-up so thank you. It was never that Linux is more secure as such more just a smaller target for malware writers. Interesting that this trojan as many other Linux based malware is user level based and not root/admin level as was Windows with it’s Achilles heel in making everyone admin level in years gone by. Personally I would still feel safer pointing a Linux OS at the Internet than a Windows based system.

  2. ix-hacker
    August 29th, 2013 at 02:26 | #2

    The wording of this article does nothing but draw FUD (fear, uncertainty, doubt). Linux is more secure by design than other platforms and being small has nothing to do with it. That isn’t security. The reason it is more secure is because there is a system of trust in packaging and distribution of software. In MS Windows, Mac OS X, Android, and iOS devices anything goes. There is no authenticity despite the appearance of some (Android & iPhones especially). In GNU/Linux there is the source code, there is the trust system (to be a Debian packager you have to gain the trust of two other developers/packages, which starts by little contributions). For the amount of work one must do to become a packager it makes no sense to wipe away that trust through malicious means. You would never again package for Debian. Users are protected by this trust system and authentication mechanism (ie, install from the repository and your not going to be installing malware). Unlike with a locked down platform and a 2 second ‘inspection’ by an incompetent Apple representative, or have to base your trust off the quality of the website your downloading from. If I find something I want to install on GNU/Linux I just open up the software center and conduct a search.

    2nd a Trojan is meaninglessly without a means of attack. If your downloading software from random websites your clearly not a GNU/Linux user. You mere toying with GNU/Linux and completely miss its security advantages.

    The key points of attack are covered: scripting is off in applications like LibreOffice, ALL core software get security updates automatically (ie not randomly, there is just one update process and easily teachable, not true on MS Windows and other platforms).

    Ultimately the only thing that is likely going to impact a typical GNU/Linux user is if there is a zero day exploit. Show me one of those and I’m interested. But even these are less of an issue because security updates are applied automatically and the biggest issue is users fixing them in a timely manor. That’ll happen if they apply the updates (which every non-technical user who has been sold GNU/Linux should have been shown… it’s the only thing you really need to know… well, that and don’t install random software packages).

  3. August 29th, 2013 at 12:33 | #3

    Agreed, Linux is more secure by design although I still stand by Linux OS not being a large enough market share to tempt malware writers there’s not enough profit in time and energy. Truth is if a talented malware writer invests the time and effect no system is safe.

  4. El_Gordo
    September 6th, 2013 at 22:24 | #4

    We’re talking about several aspects of security as though they are one.

    Proprietary Software vs Non-Proprietary Software is a trust issue inasmuch as proprietary software often is aware of issues but defers them until they become an issue in the marketplace. OpenSource similar issues are often caught while the software is being passed between the egg-heads in the OpenSource community.

    I love unix and linux for the power and stability they give me.

    But I don’t buy the “More Secure by Design” spiel. That was true at one time when user credentialing, authentication, etc, were much weaker in Windows… i.e. before Win2K displaced all the descendants of Win 3.1 and Win 95. Back then, every port was open. Shares were largely unauthenticated or only used Basic, or Digest authentication.

    NT…and more Win2k were much better (not equal, but better).

    Windows (and increasingly MAC and Android, etc) are insecure as a result of an intentional design decision.

    Security involves the explicit control of what software is running – to include the components used within that software.

    These OSs have increasingly (except Windows, which was always this way) adopted an “Everything Works Out of The Box” design. To do this they have to allow many software components and applications to be running all the time in the background. Each of those components features sub-components that have security risks. Some of these sub-components feature undocumented or under-documented listeners.

    Linux boxes as most people download them, and run them, are CLOSER to the “Everything Works Out of The Box” than to our older Unix/Linux environments where egg-heads explicitly had to specify in the initial configuration what would and what would not run…

    As it is, the basic difference between MOST Linux/Mac/and Windows boxes is in how permissions are handled in temp files, and in the default permissions assigned to explicitly downloaded objects. I mean here the difference is in whether sticky bits are enabled or disabled, what permissions I give /tmp, and or to whatever temp I give to users.

    All of that has to be configured by SOMEONE. For your different flavors of Linux those are usually part of the install image – meaning there is some variation between flavors. Windows – again a major weakness – pretty much puts things in very standard locations, with very standard authentication procedures, and very standard permissions.

    The other problem with windows, which may or may not be a problem with any specific linux box, is that the keyboard user on a windows box – to include the admin – is always at a disadvantage to the malware author (or any other code writer) with respect to what the system allows him to do. For the Linux box, that varies with the knowledgeability of the admin; there’s pretty much nothing a malware author can do that a sufficiently knowledgeable root can’t undo … or prevent if he is forewarned and the system use-case allows it.

    The strength in Linux today is only a minority in its design.

    The real strength is in Linux’s diversity, which gives hackers less expectation of the policies they will find on a target once they’ve identified it.

    A Linux box can be lean and mean with no GUI and only a single service running. Or it can be feature rich – even in the same distro of Linux. That fact gives a hacker less certainty of what attacks will work, and what will set off the alarm bells.

    Outside of “Security Through Obscurity” a.k.a. “having an OS so obscure that no one has bothered to figure out its vulnerabilities”, I believe that is the ‘Nix crowd’s main advantage.

    Windows simply doesn’t allow that kind of flexibility. Or more accurately Microsoft reserves that flexibility to the R & D folks in Redmond…

Comments are closed.