Peter Kalnai AVAST Software
Jaromir Horejsi AVAST Software
download slides (PDF)
Most current trojan-type malware samples are designed for the Windows platform. They are often functionally modular and carry a heavy obfuscation with anti-reversing tricks. On the other hand, there are very few of these for the Linux platform and those that do exist display a basic functionality and at most a simple obfuscation (e.g. with a XOR encryption).
In the summer of 2012 the first complex trojan for the Linux platform, called Wirenet, was discovered. This unusual revelation triggered a reaction even in popular non-IT magazines. The key features were stealing the content of the password files of web browsers, a general keylogging and a backdoor capability.
Recently, a new threat for the same platform, dubbed 'Hand of Thief' was discovered. With its features and sophistication it goes one step further than its predecessor. Its initial binary serves as an installation component that carries a complex structure with several hidden additional components and a configuration file. The two main capabilities provided by these components are form grabbing of Linux-specific browsers and entering a victim's computer via a backdoor.
We will compare the implementation of these features with the Windows platform where they have been present for years. We will focus particularly on the form grabbing of browsers as a method of sensitive information stealing. The reason is that security researchers encounter its constant improvement even for Windows-specific browsers.
Finally, we provide some thoughts about the real potential of these trojans to threaten Linux end-users.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.