RSA researchers continue to analyze the banking malware

Sep 3, 2013 13:32 GMT  ·  By

A few weeks ago, RSA researchers revealed the existence of a Linux banking Trojan dubbed “Hand of Thief.” The malware was released for sale in July on Russian underground forums.

After a closer analysis of the threat, RSA experts have determined that there’s a lot more work to be done before “Hand of Thief” can be considered a commercially viable banking Trojan.

The malware is packaged with a builder that allows botmasters to generate new variants. This makes “Hand of Thief” a commercial malware.

However, when it comes down to what it’s actually capable of, experts have found that it’s not ready for web injections.

The developer claims he’s in the final stages of implementing a mechanism for web injections. However, the form grabber system doesn’t work on the allegedly supported web browsers, so it’s likely that the injections will not work either.

RSA experts have tested the Trojan on two machines: one set up to run Fedora 19 with Firefox and Chrome, and one set up to run Ubuntu 12.04 with Firefox.

On the first configuration, non-browser functions such as download and execute, socks server, self-remove, bind shell, and reverse shell appear to be working properly. However, when it comes to browser functions, it’s a whole different story.

In most cases, the malware causes the browser to freeze or crash.

In Firefox, the Trojan captures only empty requests. In Chrome, it does manage to capture information, but it doesn’t filter it at all.

“This means that the malware captured every single request from the browser in a very generic manner (even sending the drop zone pages that were browsed as part of a session). Grabbing requests in this manner will quickly clutter the drop server with useless data,” RSA Senior Security Researcher Yotam Gottesman noted in a blog post.

On the second test machine, a default protection mechanism named “ptrace scope” prevented the threat from attaching itself to processes. If the protection mechanism is disabled, the Trojan causes the browser to crash and close.

When it does manage to capture data, it’s not capable of successfully sending it to the server.