7.9 KiB
Linux “HoT” bank Trojan: Failed malware Linux "HoT"银行木马:失败的恶意软件
Summary: What? Another Linux vulnerability? Nope. Other operating systems may be easy malware marks, but Linux continues to resist malware. 摘要:我擦?又一个Linux漏洞?其实不是。其他操作系统可能很容易被恶意软件盯上,但是Linux对抗恶意软件依然坚挺。
By Steven J. Vaughan-Nichols 作者 Steven J.Vaughan-Nichols
Initially it looked like the "Hand of Thief" (HoT) Trojan would be the first successful Linux Trojan. However, further investigation by RSA, the Security Division of EMC, reveals that the Hand of Thief is just another in a long line of so-called Linux malware that's more bark than bite. 起初,貌似HoT(Hand of Thief)木马即将成为第一个真正意义上成功的Linux木马。但是EMC的安全部门RSA进一步研究发现,其实HoT木马长期以来只是“号称”很牛叉而已。
Hand of Thief: Another failed Linux malware program. (Credit: RSA)
Hand of Thief:又一个失败的Linux恶意软件程序。(来源:RSA)
Indeed, the only people who will be hurt by this so-called Trojan are the cyber-criminals who paid $2,000 for this half-baked hack. 是的!唯一会因为这个“号称牛叉”的半成品木马而受伤害的也只有那些肯花2000美刀去购买木马的“黑客”自己。
Yotam Gottesman, an RSA Senior Security Researcher, reported that the company obtained the HoT code builder and created HoT binaries. Gottesman reports that HoT has no real functionality. "Our research and analysis shows that, in reality, HoT’s grabbing abilities are very limited if not absent, which would make the malware a prototype that needs a lot more work before it can be considered a commercially viable banking Trojan." 来自RSA的一位高级安全研究员Yotam Gottesman报告说,他们已经获取到了HoT的源代码并生成了可执行文件,发现HoT并没有什么实际功能。“我们的研究分析表明,实际上HoT的窃取能力非常有限,只相当于一个恶意软件的雏形,如果要将它作为一个商用的银行木马还需要做非常多的工作”。
My own experiences with HoT demonstrated that while I smelled smoke, there was no fire. It is just a harmless exploit of a since-patched problem with the Chrome Web browser. 我个人“体验”了一下HoT,感觉就好像我闻到烟味了,但其实并没有着火,(其实是我媳妇儿在炒菜)。它只对没有及时打上漏洞补丁的Chrome浏览器有影响,其实并无大碍。
HoT's builder--the part that actually creates the virus--is a Windows program. In theory the builder would enable the botmaster to generate new variants of HoT. It created 32-bit compiled ELF (Executable and Linking Format) programs. ELF is the standard Linux binary format. HoT的生成器(builder——实际用来生成木马的部分)是一个windows程序。理论上,生成器可以产生HoT的新变体,即32位的ELF程序。ELF是Linux上的标准二进制格式。
Once installed, HoT would seek to grab information from Web forms and send the results to a botnet server. As malware, however, HoT fails in the most fundamental way possible: It requires a deliberate effort by the user to install it. 一旦中招,HoT就会从Web表格抓取信息,并将其发送到僵尸网络服务器。但是,作为恶意软件,HoT很难发挥出绝大多数功能,因为用户很可能压根就不会中招。
On some operating systems, such as Windows, it's relatively easy to infect a system without the user being aware that anything is happening. On others, such as Android, the user must agree to install a program. With Linux, you must go out of your way to install any program. HoT has no mechanism to make that any easier for a criminal cracker. 在一些诸如Windows的操作系统中,在用户不知情的情况下,系统很容易感染恶意软件。但是在其他系统中,例如Android,系统如果要安装程序则必须经过用户同意。至于Linux,普通用户想要正常安装程序都需要使出浑身解数。而针对这些现状,HoT并未能够为网络犯罪提供某种机制使入侵Linux变得简单。
In fact, even if you do take the time and effort to infect a Linux PC with HoT, the program still doesn't work worth a damn. RSA found that HoT often crashed with Firefox on Fedora, grabbed useless data with Chrome on Fedora, and was blocked from running at all on Ubuntu Linux. 事实上,架设你即使真的被HoT感染了一台Linux个人电脑,它仍然几乎啥也干不了。RSA发现HoT常常只能通过Firefox入侵Fedora,而对Ubuntu Linux上的所有程序它都无能为力。
Therefore, RSA concluded, "HoT has come to the cybercrime underground at a time when commercial Trojans are high in demand, stirring some excitement amongst criminals. Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data." 所以,RSA得出结论,“HoT只是赶上了网络黑市中商业木马需求量飙高的好时机,才引起了网络罪犯们的兴趣和注意。尽管它起初貌似已经成为木马界的新宠,但经过RSA的深入分析,证明它并非一款真正的商业恶意软件,只能算是一个雏形,通过浏览器漏洞感染Linux主机,所展示的功能也只是窃取一些数据,仅此而已。”
As for that critical issue of infecting Linux systems, "HoT's developer claims that he is in the final stages of implementing a Web-injections mechanism, but since the Form grabber he designed is not functional on the browsers he claims to have tested, the injections are not very likely to work either." 关于那个入侵Linux的机制问题,“HoT的开发者声称他已经进入某种Web入侵机制的最终实现阶段,但是鉴于他之前吹过的关于‘表格窃取’的牛逼并不好使,所以估计这个所谓的Web入侵,我们同样也可以忽略不计。”
I'll take that a step farther. The only people who have, or ever will have, trouble with HoT are the would-be crooks who bought this hopelessly maimed malware. 文章最后,我帮HoT开发者把“牛逼”再吹大点:无论过去或将来,唯一会因HoT陷入麻烦的,只有购买这款无可救药的残废木马的那些准恶棍(这里我觉得意译为“假黑客”更好,请校对斟酌)们!
About Steven J. Vaughan-Nichols 文章作者简介:
Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge PC operating system. SJVN covers networking, Linux, open source, and operating systems. Steven J. Vaughan-Nichols,亦称sjvn,早在上世纪80年代,CP/M-80还是最前沿操作系统的时候,就开始撰写技术及商业文章。范围涵盖网络、Linux、开源以及操作系统。
via: http://www.zdnet.com/linux-hot-bank-trojan-failed-malware-7000020436/
译者:[Mr小眼儿][] 校对:校对者ID