The Linux malware story comes around, again

Off the Beat: Bruce Byfield's Blog

Very few computer journalists or users understand that security means more than regular updates and virus-scans. As a result, every now and again, a scare makes the headlines. The latest scare is the Hand of Thief trojan described last week by RSA that is supposed to target Linux specifically.

These scares are predictable in their content and claims. One popular pronouncement is that Linux has only escaped its share of malware because of its relative unpopularity, and the latest scare is a sign that things are about to change. This prediction can be guaranteed to draw sniggers from Windows users, who are tired of the weaknesses of their operating system being constantly mentioned, and thirsting for payback. Often, it respawns jokes, like the title of Brian Fagioli's story on the trojan, "Linux gets hit by a trojan -- it's time to sudo apt-get scared!"Half-informed claims are exchanged on both sides, as well as the odd prophecy of sensationalistic doom -- yet, somehow nothing happens, and within a few weeks the stories are forgotten.

So far, Hand of Thief seems no different from its assorted predecessors. It is definitely following the usual story arc, helped along by RSA's uncertainty about whether it should be professionally impartial or blurt out unanswered questions like, "does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates to the platform?"

Taking an educated guess
Based on the information released so far by RSA, I'd answer that question with a tentative, "No."

One clue to the nature of the trojan is that its developers are not exploiting it for themselves. RSA's report seems to wonder if targetting Linux would be worth the effort, but that is only true if you are thinking in terms of home users. Considering the giant sites that run Linux, the possible profits would be endless. I mean, a back door into Amazon? Google? Facebook? The potential for reselling millions of people's personal information alone must be tremendous.

Yet, instead, the developers are leaving the exploitation to others. Either they are  cautious about doing anything illegal, or resales are a more certain path to profit. Given the potential of direct exploitation, I'm guessing the latter, especially since from the published excerpt or two, the developers are careful to give buyers value for their money, explaining even the simplest concepts such as compiling in terms that almost anyone can understand.

But the most telling bit of evidence was the advice Hand of Thief's marketer gave to RSA's representative when they bought the trojan on the black market: spread it by email and social engineering.

This information has been largely ignored in the rush to sensationalism, but it deserves closer attention. What is being suggested is to get a Linux user to click on a link, or else to deceive them in person, either by talking to them or by checking under their keyboard for a Post-It note with their password.

In other words, for all Hand of Thief's careful testing and detailed help, it does not appear to have discovered any weakness in the Linux code to exploit. Instead, it seems to be relying on the ignorance and carelessness of users for access.

Or, to put things another way, Hand of Thief is probably what is sometimes called  proof-of-concept malware. In theory, it can trample the Internet in its wake once it is installed. However, its installation in the first place relies on the failings of human beings, not of of Linux installations.

Unless something changes, it seems to leave the average system no more at risk than it was a month ago. With the exception of RSA, I suspect its purchasers are likely to be disappointed, although they may take a while to realize how little they have bought.

Same old same old
That is not to say that you should ignore the story. Plenty of systems are less secure than they should be -- often because users ignore security because of its minor inconveniences. Taking the time to check and tighten security is never a bad idea, and, in this case, a few basic measures by system administrators might help to reassure average users. I am not talking, of course, about security theater -- measures like the ones at American airports that look impressive but do little -- but concrete, well-established measures.

If you don't know the improvements you can make, spend some time looking at  AppArmor or SE Linux to increase your knowledge of system security. One quick and educational fix is Bastille, which for more than a decade has been securing small systems with a wizard that can dramatically improve system security in a matter of an hour or two.

Check up, too, on the users who know just enough to  mess with the security precautions you have set. You probably know who they are.

Another thing you can do is learn just how Linux is put together, so you assess future alarmist stories more accurately. My late colleague Joe Barr wrote a primer in 2007 that remains valid today.

So far, the most recent story can be summarized as leaving the basic security situation unchanged. You probably can stand to tweak a few settings, and to educate users who see security measures as annoying restrictions

Just remember, against user stupidity, the system admins themselves contend in vain -- but, then, we've always known that.