The Linux malware story comes around, again
Off the Beat: Bruce Byfield's Blog
Very few computer journalists or users understand that security means more than regular updates and virus-scans. As a result, every now and again, a scare makes the headlines. The latest scare is the Hand of Thief trojan described last week by RSA that is supposed to target Linux specifically.
These scares are predictable in their content and claims. One popular pronouncement is that Linux has only escaped its share of malware because of its relative unpopularity, and the latest scare is a sign that things are about to change. This prediction can be guaranteed to draw sniggers from Windows users, who are tired of the weaknesses of their operating system being constantly mentioned, and thirsting for payback. Often, it respawns jokes, like the title of Brian Fagioli's story on the trojan, "Linux gets hit by a trojan -- it's time to sudo apt-get scared!"Half-informed claims are exchanged on both sides, as well as the odd prophecy of sensationalistic doom -- yet, somehow nothing happens, and within a few weeks the stories are forgotten.
So far, Hand of Thief seems no different from its assorted predecessors. It is definitely following the usual story arc, helped along by RSA's uncertainty about whether it should be professionally impartial or blurt out unanswered questions like, "does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates to the platform?"
Taking an educated guess
Based on the information released so far by RSA, I'd answer that question with a tentative, "No."
One clue to the nature of the trojan is that its developers are not exploiting it for themselves. RSA's report seems to wonder if targetting Linux would be worth the effort, but that is only true if you are thinking in terms of home users. Considering the giant sites that run Linux, the possible profits would be endless. I mean, a back door into Amazon? Google? Facebook? The potential for reselling millions of people's personal information alone must be tremendous.
Yet, instead, the developers are leaving the exploitation to others. Either they are cautious about doing anything illegal, or resales are a more certain path to profit. Given the potential of direct exploitation, I'm guessing the latter, especially since from the published excerpt or two, the developers are careful to give buyers value for their money, explaining even the simplest concepts such as compiling in terms that almost anyone can understand.
But the most telling bit of evidence was the advice Hand of Thief's marketer gave to RSA's representative when they bought the trojan on the black market: spread it by email and social engineering.
This information has been largely ignored in the rush to sensationalism, but it deserves closer attention. What is being suggested is to get a Linux user to click on a link, or else to deceive them in person, either by talking to them or by checking under their keyboard for a Post-It note with their password.
In other words, for all Hand of Thief's careful testing and detailed help, it does not appear to have discovered any weakness in the Linux code to exploit. Instead, it seems to be relying on the ignorance and carelessness of users for access.
Or, to put things another way, Hand of Thief is probably what is sometimes called proof-of-concept malware. In theory, it can trample the Internet in its wake once it is installed. However, its installation in the first place relies on the failings of human beings, not of of Linux installations.
Unless something changes, it seems to leave the average system no more at risk than it was a month ago. With the exception of RSA, I suspect its purchasers are likely to be disappointed, although they may take a while to realize how little they have bought.
Same old same old
That is not to say that you should ignore the story. Plenty of systems are less secure than they should be -- often because users ignore security because of its minor inconveniences. Taking the time to check and tighten security is never a bad idea, and, in this case, a few basic measures by system administrators might help to reassure average users. I am not talking, of course, about security theater -- measures like the ones at American airports that look impressive but do little -- but concrete, well-established measures.
If you don't know the improvements you can make, spend some time looking at AppArmor or SE Linux to increase your knowledge of system security. One quick and educational fix is Bastille, which for more than a decade has been securing small systems with a wizard that can dramatically improve system security in a matter of an hour or two.
Check up, too, on the users who know just enough to mess with the security precautions you have set. You probably know who they are.
Another thing you can do is learn just how Linux is put together, so you assess future alarmist stories more accurately. My late colleague Joe Barr wrote a primer in 2007 that remains valid today.
So far, the most recent story can be summarized as leaving the basic security situation unchanged. You probably can stand to tweak a few settings, and to educate users who see security measures as annoying restrictions
Just remember, against user stupidity, the system admins themselves contend in vain -- but, then, we've always known that.
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Endless OS 6 has Arrived
After more than a year since the last update, the latest release of Endless OS is now available for general usage.
-
Fedora Asahi 40 Remix Available for Macs with Apple Silicon
If you've been anticipating KDE's Plasma 6 for your Apple Silicon-powered Mac, then you're in luck.
-
Red Hat Adds New Deployment Option for Enterprise Linux Platforms
Red Hat has re-imagined enterprise Linux for an AI future with Image Mode.
-
OSJH and LPI Release 2024 Open Source Pros Job Survey Results
See what open source professionals look for in a new role.
-
Proton 9.0-1 Released to Improve Gaming with Steam
The latest release of Proton 9 adds several improvements and fixes an issue that has been problematic for Linux users.
-
So Long Neofetch and Thanks for the Info
Today is a day that every Linux user who enjoys bragging about their system(s) will mourn, as Neofetch has come to an end.
-
Ubuntu 24.04 Comes with a “Flaw"
If you're thinking you might want to upgrade from your current Ubuntu release to the latest, there's something you might want to consider before doing so.
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.