"Hand of Thief Trojan targets all common Linux distributions"

[John Hupp]

On 9/7/2013 2:47 PM, Jonathan Marsden wrote:
> On 09/07/2013 08:50 AM, John Hupp wrote:
>
>> On 9/6/2013 10:29 PM, Jonathan Marsden wrote:
>>> MY SUMMARY: Someone is building a new commercial trojan for Linux,
>>> which doesn't actually work yet, and there is no known way to
>>> infect anyone with it anyway, except persuading users to run it
>>> themselves.
>>> I'd say Linux remains a long way from needing AV, based on that!
>> Agreed, that is the current state of affairs, which the CRN article
>> itself notes, but it also notes the developer's plan to add the
>> capability for drive-by downloads. So the question seems to be
>> whether he can make good on that.
> The hurdle is higher than that, IMO.
>
> Even if he does, (a) there is no existing set of Linux-based exploits to
> plug into such a facility, and (b) the trojan code itself, even if it
> does somehow manage to get run, is defeated by ptrace scope protection,
> which is standard in Ubuntu kernels since 10.10.
>
> So even if the developer radically improves the trojan, and a large
> working group of exploit code to use his plugin capability somehow
> materializes (from where?), this trojan *still* can't run on Ubuntu
> (including Lubuntu) unless the user deliberately and consciously
> disables a standard kernel security feature!
>
> I'd venture to suggest that, *if* the developer radically enhances his
> code, and *if* a working set of exploit plugins for Linux then emerges,
> all that will do is encourage other Linux distributions to adopt the
> existing, tested and implemented ptrace scope kernel patch -- which has
> been in Ubuntu kernels for three years already (since 10.10)!
>
> I suggest we not spend any more time on this.  It's not a real issue.
>
> Jonathan
>

I had not read anywhere any technical justification for waving off this 
threat, so thanks for taking the time to produce a substantial reassurance.