The Linux malware story comes around, again
Off the Beat: Bruce Byfield's Blog
Very few computer journalists or users understand that security means more than regular updates and virus-scans. As a result, every now and again, a scare makes the headlines. The latest scare is the Hand of Thief trojan described last week by RSA that is supposed to target Linux specifically.
These scares are predictable in their content and claims. One popular pronouncement is that Linux has only escaped its share of malware because of its relative unpopularity, and the latest scare is a sign that things are about to change. This prediction can be guaranteed to draw sniggers from Windows users, who are tired of the weaknesses of their operating system being constantly mentioned, and thirsting for payback. Often, it respawns jokes, like the title of Brian Fagioli's story on the trojan, "Linux gets hit by a trojan -- it's time to sudo apt-get scared!"Half-informed claims are exchanged on both sides, as well as the odd prophecy of sensationalistic doom -- yet, somehow nothing happens, and within a few weeks the stories are forgotten.
So far, Hand of Thief seems no different from its assorted predecessors. It is definitely following the usual story arc, helped along by RSA's uncertainty about whether it should be professionally impartial or blurt out unanswered questions like, "does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates to the platform?"
Taking an educated guess
Based on the information released so far by RSA, I'd answer that question with a tentative, "No."
One clue to the nature of the trojan is that its developers are not exploiting it for themselves. RSA's report seems to wonder if targetting Linux would be worth the effort, but that is only true if you are thinking in terms of home users. Considering the giant sites that run Linux, the possible profits would be endless. I mean, a back door into Amazon? Google? Facebook? The potential for reselling millions of people's personal information alone must be tremendous.
Yet, instead, the developers are leaving the exploitation to others. Either they are cautious about doing anything illegal, or resales are a more certain path to profit. Given the potential of direct exploitation, I'm guessing the latter, especially since from the published excerpt or two, the developers are careful to give buyers value for their money, explaining even the simplest concepts such as compiling in terms that almost anyone can understand.
But the most telling bit of evidence was the advice Hand of Thief's marketer gave to RSA's representative when they bought the trojan on the black market: spread it by email and social engineering.
This information has been largely ignored in the rush to sensationalism, but it deserves closer attention. What is being suggested is to get a Linux user to click on a link, or else to deceive them in person, either by talking to them or by checking under their keyboard for a Post-It note with their password.
In other words, for all Hand of Thief's careful testing and detailed help, it does not appear to have discovered any weakness in the Linux code to exploit. Instead, it seems to be relying on the ignorance and carelessness of users for access.
Or, to put things another way, Hand of Thief is probably what is sometimes called proof-of-concept malware. In theory, it can trample the Internet in its wake once it is installed. However, its installation in the first place relies on the failings of human beings, not of of Linux installations.
Unless something changes, it seems to leave the average system no more at risk than it was a month ago. With the exception of RSA, I suspect its purchasers are likely to be disappointed, although they may take a while to realize how little they have bought.
Same old same old
That is not to say that you should ignore the story. Plenty of systems are less secure than they should be -- often because users ignore security because of its minor inconveniences. Taking the time to check and tighten security is never a bad idea, and, in this case, a few basic measures by system administrators might help to reassure average users. I am not talking, of course, about security theater -- measures like the ones at American airports that look impressive but do little -- but concrete, well-established measures.
If you don't know the improvements you can make, spend some time looking at AppArmor or SE Linux to increase your knowledge of system security. One quick and educational fix is Bastille, which for more than a decade has been securing small systems with a wizard that can dramatically improve system security in a matter of an hour or two.
Check up, too, on the users who know just enough to mess with the security precautions you have set. You probably know who they are.
Another thing you can do is learn just how Linux is put together, so you assess future alarmist stories more accurately. My late colleague Joe Barr wrote a primer in 2007 that remains valid today.
So far, the most recent story can be summarized as leaving the basic security situation unchanged. You probably can stand to tweak a few settings, and to educate users who see security measures as annoying restrictions
Just remember, against user stupidity, the system admins themselves contend in vain -- but, then, we've always known that.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.