(old)Puppy Linux Discussion Forum

Guess it had to happen sooner or later, the Linux Desktop 'Hand Of Thief' Trojan is coming.

Read all about it.

http://www.zdnet.com/linux-desktop-troj ... 000019175/

>>>---Indian------>

Hi...

Looks like it's easily avoidable, though...

Fortunately, as Limor Kessem, one of RSA's top cyber Intelligence experts, wrote after a conversation with the Trojan's "sales agent," Hand of Thief has no good ways of infecting Linux users. Instead, the cracker "suggested using email and social engineering as the infection vector."

Regards...

HoT needs to run as root.
Puppy, unfortunately, runs as root, so it would be easier for Puppy to get infected than other distros, such as Debian.

gameboyab wrote:HoT needs to run as root.
Puppy, unfortunately, runs as root, so it would be easier for Puppy to get infected than other distros, such as Debian.

Yeah, I guess, but Puppy doesn't have a desktop. And I don't think it supports Rox-Filer or Joe's Window Manager.

No that's not what I wanted to say, I don't think Puppy has Internet Domain Name System (DNS) addresses within memory., let me say that I've not been able to find it, can anyone?

According to the article.

Hand of Thief also includes a mechanism to prevent users from accessing anti-virus sites. This seems to work by manipulating Internet Domain Name System (DNS) addresses within memory rather than doing some obvious such as changing records in your hosts file.

But....
After requesting a site with your browser, your ISP provides the DNS address for connection to it.
At that point, the nasty in question could feasibly block or redirect you as the case may be.

Aren't bookmarks of sites really the DNS address of the bookmarked site?

Also, is the DNS address and the internet address one in the same?

The DNS server translates the Domain Name into its IP Address.

Someone stole my hosts file....

linux virus looks lke this...

however no one would cut/paste into a CLI and hit enter.

So I guess that is the social engineering part...

8-bit wrote:But....
After requesting a site with your browser, your ISP provides the DNS address for connection to it.

DNS provides the address. I would be more like, your ISP queries DNS for the address and DNS provides the address.

If the application has the address, no query is made.* There is a sequence to finding the address. (1) the local DNS cache, (2) the hosts file.

* Having the address would be along the lines of putting the address in place of the name on the URL bar. Or using the address and not the name in your bookmarks. Or if it was coded into the application or a script, etc.

At that point, the nasty in question could feasibly block or redirect you as the case may be.

In Puppy, it seems the address is given directly to the requesting application. But unlike many other OSes it doesn't have a DNS cache.

Aren't bookmarks of sites really the DNS address of the bookmarked site?

They can be, especially if you make them that way. You can edit the bookmark, remove the name and replace it with the address.

Also, is the DNS address and the internet address one in the same?

DNS is a service which provides the IP address.

Example: A waitress provides the coffee, but she is not the coffee.


~

Doesn't this bug make its nest somewhere? If we know where it resides, we can zap it, no?

musher0 wrote:Doesn't this bug make its nest somewhere? If we know where it resides, we can zap it, no?

I am sorry. I don't understand the question. Please clarify. I am interested in this stuff.

Articles we read often provide a description of problem and offer no solution.

Bruce B wrote:

musher0 wrote:Doesn't this bug make its nest somewhere? If we know where it resides, we can zap it, no?

I am sorry. I don't understand the question. Please clarify. I am interested in this stuff.

Articles we read often provide a description of problem and offer no solution.

Hi, Bruce B.

You're right, the article describes briefly the problem and offers no solution.

I'm not an IT communications specialist, far from it, but it stands to reason that the
malware has to reside somewhere in the machine to do its creepy stuff.

The article mentions the major browsers as base for the malware. So the malware has
to use some form of connection.

Linux has a powerful detector of open lines called lsof, though no Puppy provides it by
default. Possibly lsof could be used to detect the malware line or URL, and kill it?

Again, if the malware uses the browser, it must add some code to it to provoke the
browser into stealing the data. Maybe some Linux program, like du or df, could simply
verify the size and number of files in the browser folders every 2 seconds, say, and
interrupt the transaction or kill the browser if something fishy is detected.

Also, concerning the browser files and folders, if the malware tries to modify anything
there, could Linuxians not restrict the execute permission for those folders and apps to
just the minimal "user" permission? (Not "group", and obviously not "world".) Then any
modification attempt from an outside "non-user" would fail, and the user's machine
would remain safe.

As I said, I'm not an IT communications specialist; those ideas are just me thinking out loud.

BFN.

musher0

I gather my previous post went over everybody's head?
Or is everybody already submitting to the pirates?
Nah, everybody just died overnight.
Those who are not, please wiggle?

musher0 wrote:I gather my previous post went over everybody's head?
Or is everybody already submitting to the pirates?
Nah, everybody just died overnight.
Those who are not, please wiggle?

Fortunately, as Limor Kessem, one of RSA's top cyber Intelligence experts, wrote after a conversation with the Trojan's "sales agent," Hand of Thief has no good ways of infecting Linux users. Instead, the cracker "suggested using email and social engineering as the infection vector."

http://www.zdnet.com/linux-desktop-troj ... 000019175/

Since this apparently requires active user participation, ie clicking some random url link, in order to function I'm not the least bit concerned.
Just more fud for the paranoid to worry about.....

While looking for spyware, keep in mind that even if the scanner says "clean" doesn't make it true.

In the picture below we can see it. Several minutes later we can't. All gone. Now just a speck in the sky the human eye cannot detect. But this doesn't mean it doesn't detect us.

~

musher0 stated : Linux has a powerful detector of open lines called lsof, though no Puppy provides it by
default. Possibly lsof could be used to detect the malware line or URL, and kill it?


I was curious and am running Slacko 5.5.
I opened a terminal and typed "lsof"
The command was found and worked giving me many lines of information.
So evidently, that command is included in some Puppy Linux versions.

The closest I have came to a strange occurrence was having an idle frugal install of lucid 520 lock up with no response from the mouse or keyboard.
I had to do a hard power off holding down the power button on the desktop.
I had not installed anything recently at all.
But also, on a reboot, a file system check was automatically done on that partition and also on the pupsave file with errors being reported as it did it's thing.

It could be that the desktop has 3 gigs of ram and a 3 gig pupsave file in use for Lucid 520 though that may have caused me problems.

IOW, I did not get overly excited about it.

Hi, 8-bit.

Glad to see that lsof is included in Slacko.

To see the connections (open lines) specifically, type Normally, you should have two open connections for cups ("printer"
connection), plus the urls matching the open tabs in your browser, plus some for any real printer. (The latter to be checked.)

Any additional ones do not belong. But careful here, opera, for example, needs 4 open connections to work correctly, even when idle. May be the
same for Firefox, SeaMonkey, etc. (The latter to be checked.)

lsof -i -n -t
will give you only the process numbers of the connections.
-t stands for "terse". (Indeed!)

So if you find something fishy in the lsof connections listing, you may want to type
kill <process_number> (without the arrows)

Retype lsof -i -n to see if anything happened.
If nothing happened in the listing, and you know one connection is
suspicious, shutdown with the computer button. (I know, this sounds
paranoid on a Linux machine, but better be safe than sorry.)

Upon reboot, the offending connection should be gone, computer pirates
have no patience.

Typing
lsof
only will list all the open files on your system, not only the
programs but the libs they rely on. So that's a long list. No
surprise: lsof stands for "list open files".

lsof -h will list all lsof possibilities.

I hope this helps a bit in explaining how to work with this utility.

musher0