August 27, 2013

Russian anti-virus company Doctor Web is warning users about a new malignant program for Linux which has been dubbed Linux.Hanthie. A thorough analysis showed that this Trojan (also known as the Hand of Thief) is equipped not only with a wide array malicious features but also can conceal itself from anti-viruses.

Currently, the malware is actively sold and purchased on underground hacker forums. It features anti-detection technologies and routines for its covert startup, does not require administrator privileges, and uses strong encryption (256-bit) for communicating with the control panel. The bot's configuration file contains a large number of parameters for its flexible configuration.

When the Trojan is launched, it blocks access to sites from which anti-virus software and updates are downloaded. It also makes use of routines to impede its analysis and launch in isolated and virtual environments.

The latest version of Linux.Hanthie is unable to replicate itself, so its developers recommend that intruders employ social engineering techniques to spread it. The Trojan can operate under various Linux distributions including Ubuntu, Fedora and Debian and supports eight desktop environments such as GNOME and KDE.

Once the malicious program is launched, the Trojan installer checks whether its process or a virtual machine is already running in the system. Then Linux.Hanthie creates its startup file and places its copy into a directory on the disc. It also creates a shared executable library in the temp directory and attempts to inject its code into all running processes. If the malicious program cannot inject the code into any process, the temporary directory Linux.Hanthie starts a new executable, responsible only for communication with the command and control server, and deletes its original copy.

The Trojan incorporates several functional modules: one of them is a library that bears the greater part of its payload. The Trojan uses the library to inject the grabber into Mozilla Firefox, Google Chrome, Opera, Chromium and Ice Weasel. The grabber is employed to intercept HTTPS and HTTPS connections and send data, entered by users into boxes on web pages, to criminals. The library also performs backdoor tasks; the traffic for communication with the C&C server is encrypted.

The Trojan can execute several commands. The command ‘socks’ makes it launch a proxy server in the compromised system; the instruction ‘bind’ tells the Trojan to initiate a port listener script, and the directive ‘bc’ makes it connect to a remote server. The Trojan downloads and installs a new version upon receiving the command ‘update’ and removes itself upon getting the instruction ‘rm’. If one tries to access the running script bind or bc, the Trojan displays the following message in the console:

Another module enables the Trojan to perform a limited number of malignant tasks that do not include code injections.

The signature of the Trojan has already been added to the virus database. Dr.Web anti-virus software successfully detects and removes it from infected systems.