A thorough analysis by Dr.WEB showed that a new malignant program for Linux which has been dubbed Linux.Hanthie (also known as the Hand of Thief) is equipped not only with a wide array malicious features but also can conceal itself from anti-viruses.
The malware features anti-detection technologies and routines for its covert startup, does not require administrator privileges, and uses strong encryption (256-bit) for communicating with the control panel. The bot's configuration file contains a large number of parameters for its flexible configuration.
When the Trojan is launched, it blocks access to sites from which anti-virus software and updates are downloaded. It also makes use of routines to impede its analysis and launch in isolated and virtual environments.
The latest version of Linux.Hanthie is unable to replicate itself, so its developers recommend that intruders employ social engineering techniques to spread it. The Trojan can operate under various Linux distributions including Ubuntu, Fedora and Debian and supports eight desktop environments such as GNOME and KDE.
Linux.Hanthie creates its startup file and places its copy into a directory on the disc. It also creates a shared executable library in the temp directory and attempts to inject its code into all running processes. If the malicious program cannot inject the code into any process, the temporary directory Linux.Hanthie starts a new executable, responsible only for communication with the command and control server, and deletes its original copy.
The signature of the Trojan has already been added to the virus database. Dr.Web anti-virus software successfully detects and removes it from infected systems.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.