The Linux malware story comes around, again

Off the Beat: Bruce Byfield's Blog
Very few computer journalists or users understand that security means more than regular updates and virus-scans. As a result, every now and again, a scare makes the headlines. The latest scare is the Hand of Thief trojan described last week by RSA that is supposed to target Linux specifically.
These scares are predictable in their content and claims. One popular pronouncement is that Linux has only escaped its share of malware because of its relative unpopularity, and the latest scare is a sign that things are about to change. This prediction can be guaranteed to draw sniggers from Windows users, who are tired of the weaknesses of their operating system being constantly mentioned, and thirsting for payback. Often, it respawns jokes, like the title of Brian Fagioli's story on the trojan, "Linux gets hit by a trojan -- it's time to sudo apt-get scared!"Half-informed claims are exchanged on both sides, as well as the odd prophecy of sensationalistic doom -- yet, somehow nothing happens, and within a few weeks the stories are forgotten.
So far, Hand of Thief seems no different from its assorted predecessors. It is definitely following the usual story arc, helped along by RSA's uncertainty about whether it should be professionally impartial or blurt out unanswered questions like, "does Hand of Thief represent the early signs of Linux becoming less secure as cybercrime migrates to the platform?"
Taking an educated guess
Based on the information released so far by RSA, I'd answer that question with a tentative, "No."
One clue to the nature of the trojan is that its developers are not exploiting it for themselves. RSA's report seems to wonder if targetting Linux would be worth the effort, but that is only true if you are thinking in terms of home users. Considering the giant sites that run Linux, the possible profits would be endless. I mean, a back door into Amazon? Google? Facebook? The potential for reselling millions of people's personal information alone must be tremendous.
Yet, instead, the developers are leaving the exploitation to others. Either they are cautious about doing anything illegal, or resales are a more certain path to profit. Given the potential of direct exploitation, I'm guessing the latter, especially since from the published excerpt or two, the developers are careful to give buyers value for their money, explaining even the simplest concepts such as compiling in terms that almost anyone can understand.
But the most telling bit of evidence was the advice Hand of Thief's marketer gave to RSA's representative when they bought the trojan on the black market: spread it by email and social engineering.
This information has been largely ignored in the rush to sensationalism, but it deserves closer attention. What is being suggested is to get a Linux user to click on a link, or else to deceive them in person, either by talking to them or by checking under their keyboard for a Post-It note with their password.
In other words, for all Hand of Thief's careful testing and detailed help, it does not appear to have discovered any weakness in the Linux code to exploit. Instead, it seems to be relying on the ignorance and carelessness of users for access.
Or, to put things another way, Hand of Thief is probably what is sometimes called proof-of-concept malware. In theory, it can trample the Internet in its wake once it is installed. However, its installation in the first place relies on the failings of human beings, not of of Linux installations.
Unless something changes, it seems to leave the average system no more at risk than it was a month ago. With the exception of RSA, I suspect its purchasers are likely to be disappointed, although they may take a while to realize how little they have bought.
Same old same old
That is not to say that you should ignore the story. Plenty of systems are less secure than they should be -- often because users ignore security because of its minor inconveniences. Taking the time to check and tighten security is never a bad idea, and, in this case, a few basic measures by system administrators might help to reassure average users. I am not talking, of course, about security theater -- measures like the ones at American airports that look impressive but do little -- but concrete, well-established measures.
If you don't know the improvements you can make, spend some time looking at AppArmor or SE Linux to increase your knowledge of system security. One quick and educational fix is Bastille, which for more than a decade has been securing small systems with a wizard that can dramatically improve system security in a matter of an hour or two.
Check up, too, on the users who know just enough to mess with the security precautions you have set. You probably know who they are.
Another thing you can do is learn just how Linux is put together, so you assess future alarmist stories more accurately. My late colleague Joe Barr wrote a primer in 2007 that remains valid today.
So far, the most recent story can be summarized as leaving the basic security situation unchanged. You probably can stand to tweak a few settings, and to educate users who see security measures as annoying restrictions
Just remember, against user stupidity, the system admins themselves contend in vain -- but, then, we've always known that.
comments powered by DisqusIssue 268/2023
Buy this issue as a PDF
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
LibreOffice 7.5 has Arrived and is Loaded with New Features and Improvements
The favorite office suite of the Linux community has a new release that includes some visual refreshing and new features across all modules.
-
The Next Major Release of Elementary OS Has Arrived
It's been over a year since the developers of elementary OS released version 6.1 (Jólnir) but they've finally made their latest release (Horus) available with a renewed focus on the user.
-
KDE Plasma 5.27 Beta Is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.