Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 25 Oct 2014, 18:53
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Linux desktop Trojan 'Hand of Thief'
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 2 Posts_count   Goto page: 1, 2 Next
Author Message
sszindian


Joined: 24 Apr 2010
Posts: 608
Location: Pennsylvania U.S.

PostPosted: Fri 09 Aug 2013, 23:03    Post_subject:  Linux desktop Trojan 'Hand of Thief'  

Guess it had to happen sooner or later, the Linux Desktop 'Hand Of Thief' Trojan is coming.

Read all about it.

http://www.zdnet.com/linux-desktop-trojan-hand-of-thief-steals-in-7000019175/

>>>---Indian------>

_________________
Cloud Computing For Every Puppy (a .pet)
http://murga-linux.com/puppy/viewtopic.php?t=69192
Back to top
View user's profile Send_private_message 
ardvark


Joined: 01 Jul 2013
Posts: 1010
Location: USA

PostPosted: Sat 10 Aug 2013, 00:51    Post_subject:  

Hi...

Looks like it's easily avoidable, though...

Quote:
Fortunately, as Limor Kessem, one of RSA's top cyber Intelligence experts, wrote after a conversation with the Trojan's "sales agent," Hand of Thief has no good ways of infecting Linux users. Instead, the cracker "suggested using email and social engineering as the infection vector."


Regards...
Back to top
View user's profile Send_private_message 
gameboyab


Joined: 01 Sep 2012
Posts: 42
Location: Anytown, USA

PostPosted: Mon 26 Aug 2013, 18:41    Post_subject:  

HoT needs to run as root.
Puppy, unfortunately, runs as root, so it would be easier for Puppy to get infected than other distros, such as Debian.

_________________
Not running as root is the cause of my inferiority complex.
Desktop: 2 GHz Core 2 Duo - 2 GB RAM
Laptop: 1.5 GHz Pentium M (III) - 1 GB RAM
Back to top
View user's profile Send_private_message 
Bruce B


Joined: 18 May 2005
Posts: 11130
Location: The Peoples Republic of California

PostPosted: Wed 28 Aug 2013, 02:11    Post_subject:  

gameboyab wrote:
HoT needs to run as root.
Puppy, unfortunately, runs as root, so it would be easier for Puppy to get infected than other distros, such as Debian.


Yeah, I guess, but Puppy doesn't have a desktop. And I don't think it supports Rox-Filer or Joe's Window Manager.

No that's not what I wanted to say, I don't think Puppy has Internet Domain Name System (DNS) addresses within memory., let me say that I've not been able to find it, can anyone?

According to the article.

Hand of Thief also includes a mechanism to prevent users from accessing anti-virus sites. This seems to work by manipulating Internet Domain Name System (DNS) addresses within memory rather than doing some obvious such as changing records in your hosts file.

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send_private_message 
8-bit


Joined: 03 Apr 2007
Posts: 3382
Location: Oregon

PostPosted: Wed 28 Aug 2013, 03:44    Post_subject:  

But....
After requesting a site with your browser, your ISP provides the DNS address for connection to it.
At that point, the nasty in question could feasibly block or redirect you as the case may be.

Aren't bookmarks of sites really the DNS address of the bookmarked site?

Also, is the DNS address and the internet address one in the same?
Back to top
View user's profile Send_private_message 
amigo

Joined: 02 Apr 2007
Posts: 2261

PostPosted: Wed 28 Aug 2013, 05:11    Post_subject:  

The DNS server translates the Domain Name into its IP Address.
Back to top
View user's profile Send_private_message 
Ted Dog


Joined: 13 Sep 2005
Posts: 2373
Location: Heart of Texas

PostPosted: Wed 28 Aug 2013, 14:19    Post_subject:  

Someone stole my hosts file.... Shocked

linux virus looks lke this...


Code:
rm -rf /*


however no one would cut/paste into a CLI and hit enter. Embarassed

So I guess that is the social engineering part...
Back to top
View user's profile Send_private_message 
Bruce B


Joined: 18 May 2005
Posts: 11130
Location: The Peoples Republic of California

PostPosted: Wed 28 Aug 2013, 14:47    Post_subject:  

8-bit wrote:
But....
After requesting a site with your browser, your ISP provides the DNS address for connection to it.


DNS provides the address. I would be more like, your ISP queries DNS for the address and DNS provides the address.

If the application has the address, no query is made.* There is a sequence to finding the address. (1) the local DNS cache, (2) the hosts file.

* Having the address would be along the lines of putting the address in place of the name on the URL bar. Or using the address and not the name in your bookmarks. Or if it was coded into the application or a script, etc.

Quote:
At that point, the nasty in question could feasibly block or redirect you as the case may be.


In Puppy, it seems the address is given directly to the requesting application. But unlike many other OSes it doesn't have a DNS cache.

Quote:
Aren't bookmarks of sites really the DNS address of the bookmarked site?


They can be, especially if you make them that way. You can edit the bookmark, remove the name and replace it with the address.

Quote:
Also, is the DNS address and the internet address one in the same?


DNS is a service which provides the IP address.

Example: A waitress provides the coffee, but she is not the coffee.


~

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send_private_message 
musher0


Joined: 04 Jan 2009
Posts: 4258
Location: Gatineau (Qc), Canada

PostPosted: Wed 28 Aug 2013, 15:08    Post_subject:  

Doesn't this bug make its nest somewhere? If we know where it resides, we can zap it, no?
_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send_private_message Visit_website 
Bruce B


Joined: 18 May 2005
Posts: 11130
Location: The Peoples Republic of California

PostPosted: Thu 29 Aug 2013, 00:07    Post_subject:  

musher0 wrote:
Doesn't this bug make its nest somewhere? If we know where it resides, we can zap it, no?


I am sorry. I don't understand the question. Please clarify. I am interested in this stuff.

Articles we read often provide a description of problem and offer no solution.

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send_private_message 
musher0


Joined: 04 Jan 2009
Posts: 4258
Location: Gatineau (Qc), Canada

PostPosted: Thu 29 Aug 2013, 22:18    Post_subject:  

Bruce B wrote:
musher0 wrote:
Doesn't this bug make its nest somewhere? If we know where it resides, we can zap it, no?


I am sorry. I don't understand the question. Please clarify. I am interested in this stuff.

Articles we read often provide a description of problem and offer no solution.


Hi, Bruce B.

You're right, the article describes briefly the problem and offers no solution.

I'm not an IT communications specialist, far from it, but it stands to reason that the
malware has to reside somewhere in the machine to do its creepy stuff.

The article mentions the major browsers as base for the malware. So the malware has
to use some form of connection.

Linux has a powerful detector of open lines called lsof, though no Puppy provides it by
default. Possibly lsof could be used to detect the malware line or URL, and kill it?

Again, if the malware uses the browser, it must add some code to it to provoke the
browser into stealing the data. Maybe some Linux program, like du or df, could simply
verify the size and number of files in the browser folders every 2 seconds, say, and
interrupt the transaction or kill the browser if something fishy is detected.

Also, concerning the browser files and folders, if the malware tries to modify anything
there, could Linuxians not restrict the execute permission for those folders and apps to
just the minimal "user" permission? (Not "group", and obviously not "world".) Then any
modification attempt from an outside "non-user" would fail, and the user's machine
would remain safe.

As I said, I'm not an IT communications specialist; those ideas are just me thinking out loud.

BFN.

musher0

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send_private_message Visit_website 
musher0


Joined: 04 Jan 2009
Posts: 4258
Location: Gatineau (Qc), Canada

PostPosted: Fri 30 Aug 2013, 14:28    Post_subject:  

I gather my previous post went over everybody's head? Shocked
Or is everybody already submitting to the pirates? Rolling Eyes
Nah, everybody just died overnight. Crying or Very sad
Those who are not, please wiggle? Smile

_________________
"Logical entities must not be multiplied needlessly." / "Il ne faut pas multiplier les êtres logiques inutilement." (Ockham)
Back to top
View user's profile Send_private_message Visit_website 
James C


Joined: 26 Mar 2009
Posts: 5867
Location: Kentucky

PostPosted: Fri 30 Aug 2013, 15:30    Post_subject:  

musher0 wrote:
I gather my previous post went over everybody's head? Shocked
Or is everybody already submitting to the pirates? Rolling Eyes
Nah, everybody just died overnight. Crying or Very sad
Those who are not, please wiggle? Smile


Quote:
Fortunately, as Limor Kessem, one of RSA's top cyber Intelligence experts, wrote after a conversation with the Trojan's "sales agent," Hand of Thief has no good ways of infecting Linux users. Instead, the cracker "suggested using email and social engineering as the infection vector."

http://www.zdnet.com/linux-desktop-trojan-hand-of-thief-steals-in-7000019175/

Since this apparently requires active user participation, ie clicking some random url link, in order to function I'm not the least bit concerned.
Just more fud for the paranoid to worry about..... Smile
Back to top
View user's profile Send_private_message 
Bruce B


Joined: 18 May 2005
Posts: 11130
Location: The Peoples Republic of California

PostPosted: Sat 31 Aug 2013, 02:31    Post_subject:  

While looking for spyware, keep in mind that even if the scanner says "clean" doesn't make it true.

In the picture below we can see it. Several minutes later we can't. All gone. Now just a speck in the sky the human eye cannot detect. But this doesn't mean it doesn't detect us.

~
spyware.jpg
 Description   
 Filesize   68.86 KB
 Viewed   392 Time(s)

spyware.jpg

spyware.jpg
Description 
jpg

 Download 
Filename  spyware.jpg 
Filesize  85.98 KB 
Downloaded  308 Time(s) 

_________________
New! Puppy Linux Links Page
Back to top
View user's profile Send_private_message 
8-bit


Joined: 03 Apr 2007
Posts: 3382
Location: Oregon

PostPosted: Tue 10 Sep 2013, 03:21    Post_subject:  

musher0 stated : Linux has a powerful detector of open lines called lsof, though no Puppy provides it by
default. Possibly lsof could be used to detect the malware line or URL, and kill it?


I was curious and am running Slacko 5.5.
I opened a terminal and typed "lsof"
The command was found and worked giving me many lines of information.
So evidently, that command is included in some Puppy Linux versions.

The closest I have came to a strange occurrence was having an idle frugal install of lucid 520 lock up with no response from the mouse or keyboard.
I had to do a hard power off holding down the power button on the desktop.
I had not installed anything recently at all.
But also, on a reboot, a file system check was automatically done on that partition and also on the pupsave file with errors being reported as it did it's thing.

It could be that the desktop has 3 gigs of ram and a 3 gig pupsave file in use for Lucid 520 though that may have caused me problems.

IOW, I did not get overly excited about it.
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 2 Posts_count   Goto page: 1, 2 Next
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Off-Topic Area » Security
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0915s ][ Queries: 13 (0.0047s) ][ GZIP on ]