"Hand of Thief Trojan targets all common Linux distributions"

Jonathan Marsden jmarsden at fastmail.fm
Sat Sep 7 18:47:37 UTC 2013


On 09/07/2013 08:50 AM, John Hupp wrote:

> On 9/6/2013 10:29 PM, Jonathan Marsden wrote:

>> MY SUMMARY: Someone is building a new commercial trojan for Linux,
>> which doesn't actually work yet, and there is no known way to
>> infect anyone with it anyway, except persuading users to run it
>> themselves.

>> I'd say Linux remains a long way from needing AV, based on that!

> Agreed, that is the current state of affairs, which the CRN article 
> itself notes, but it also notes the developer's plan to add the 
> capability for drive-by downloads. So the question seems to be
> whether he can make good on that.

The hurdle is higher than that, IMO.

Even if he does, (a) there is no existing set of Linux-based exploits to
plug into such a facility, and (b) the trojan code itself, even if it
does somehow manage to get run, is defeated by ptrace scope protection,
which is standard in Ubuntu kernels since 10.10.

So even if the developer radically improves the trojan, and a large
working group of exploit code to use his plugin capability somehow
materializes (from where?), this trojan *still* can't run on Ubuntu
(including Lubuntu) unless the user deliberately and consciously
disables a standard kernel security feature!

I'd venture to suggest that, *if* the developer radically enhances his
code, and *if* a working set of exploit plugins for Linux then emerges,
all that will do is encourage other Linux distributions to adopt the
existing, tested and implemented ptrace scope kernel patch -- which has
been in Ubuntu kernels for three years already (since 10.10)!

I suggest we not spend any more time on this.  It's not a real issue.

Jonathan




More information about the Lubuntu-users mailing list