The Linux malware story comes around, again
Off the Beat: Bruce Byfield's Blog
Very few computer journalists or users understand that security means more than regular updates and virus-scans. As a result, every now and again, a scare makes the headlines. The latest scare is the Hand of Thief trojan described last week by RSA that is supposed to target Linux specifically.
These scares are predictable in their content and claims. One popular pronouncement is that Linux has only escaped its share of malware because of its relative unpopularity, and the latest scare is a sign that things are about to change. This prediction can be guaranteed to draw sniggers from Windows users, who are tired of the weaknesses of their operating system being constantly mentioned, and thirsting for payback. Often, it respawns jokes, like the title of Brian Fagioli's story on the trojan, "Linux gets hit by a trojan -- it's time to sudo apt-get scared!"Half-informed claims are exchanged on both sides, as well as the odd prophecy of sensationalistic doom -- yet, somehow nothing happens, and within a few weeks the stories are forgotten.
So far, Hand of Thief seems no different from its assorted predecessors. It is definitely following the usual story arc, helped along by RSA's uncertainty about whether it should be professionally impartial or blurt out unanswered questions like, "does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates to the platform?"
Taking an educated guess
Based on the information released so far by RSA, I'd answer that question with a tentative, "No."
One clue to the nature of the trojan is that its developers are not exploiting it for themselves. RSA's report seems to wonder if targetting Linux would be worth the effort, but that is only true if you are thinking in terms of home users. Considering the giant sites that run Linux, the possible profits would be endless. I mean, a back door into Amazon? Google? Facebook? The potential for reselling millions of people's personal information alone must be tremendous.
Yet, instead, the developers are leaving the exploitation to others. Either they are cautious about doing anything illegal, or resales are a more certain path to profit. Given the potential of direct exploitation, I'm guessing the latter, especially since from the published excerpt or two, the developers are careful to give buyers value for their money, explaining even the simplest concepts such as compiling in terms that almost anyone can understand.
But the most telling bit of evidence was the advice Hand of Thief's marketer gave to RSA's representative when they bought the trojan on the black market: spread it by email and social engineering.
This information has been largely ignored in the rush to sensationalism, but it deserves closer attention. What is being suggested is to get a Linux user to click on a link, or else to deceive them in person, either by talking to them or by checking under their keyboard for a Post-It note with their password.
In other words, for all Hand of Thief's careful testing and detailed help, it does not appear to have discovered any weakness in the Linux code to exploit. Instead, it seems to be relying on the ignorance and carelessness of users for access.
Or, to put things another way, Hand of Thief is probably what is sometimes called proof-of-concept malware. In theory, it can trample the Internet in its wake once it is installed. However, its installation in the first place relies on the failings of human beings, not of of Linux installations.
Unless something changes, it seems to leave the average system no more at risk than it was a month ago. With the exception of RSA, I suspect its purchasers are likely to be disappointed, although they may take a while to realize how little they have bought.
Same old same old
That is not to say that you should ignore the story. Plenty of systems are less secure than they should be -- often because users ignore security because of its minor inconveniences. Taking the time to check and tighten security is never a bad idea, and, in this case, a few basic measures by system administrators might help to reassure average users. I am not talking, of course, about security theater -- measures like the ones at American airports that look impressive but do little -- but concrete, well-established measures.
If you don't know the improvements you can make, spend some time looking at AppArmor or SE Linux to increase your knowledge of system security. One quick and educational fix is Bastille, which for more than a decade has been securing small systems with a wizard that can dramatically improve system security in a matter of an hour or two.
Check up, too, on the users who know just enough to mess with the security precautions you have set. You probably know who they are.
Another thing you can do is learn just how Linux is put together, so you assess future alarmist stories more accurately. My late colleague Joe Barr wrote a primer in 2007 that remains valid today.
So far, the most recent story can be summarized as leaving the basic security situation unchanged. You probably can stand to tweak a few settings, and to educate users who see security measures as annoying restrictions
Just remember, against user stupidity, the system admins themselves contend in vain -- but, then, we've always known that.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.