Linux users targeted by password-stealing 'Wirenet' Trojan
Open source gets some attention
Malware writers are interested in Linux after all. Russian security firm Dr Web has reported finding a shadowy Trojan that sets out to steal passwords on the open source platform as well as OS X.
Technical details of Wirenet.1’s operation and technique for spreading are sparse for now, but the company reports that the backdoor program targets browser passwords for Opera, Firefox, Chrome, Chromium, and as well as applications such as Thunderbird, SeaMonkey, Pidgin.
Under Linux it copies itself to the ~ / WIFIADAPT directory before attempting to connect to a command and control server hosted at 220.127.116.11 using an AES encrypted channel. That at least offers a simple way of blocking communication and any further payloads.
Related Articles on Techworld
Dr Web made a name for itself earlier this year reporting on the infamous Flashback Trojan that hit Mac users on an unprecedented scale.
It’s not clear whether Wirenet’s cross-platform capabilities extend to targeting Windows systems but it is possible that avoiding Microsoft’s OS is a way of keeping off the radar of security firms.
Cross platform malware is rare but not unheard of, the usual technique being to hook into Java in search of victims using OS X.
Malware specifically designed to steal credentials from Linux systems is almost unheard of but might, on the basis of this new discovery, become a little less so in future.
Should Linux users be worried? Probably not. the details of how this malware might grab root mode on a Linux system are unknown. Atacking Linux users would also be a pretty rarified activity unless it was part of a highly-targeted attack.
"We do not have explicit evidence that it uses Java. To my knowledge it does not. This file was received from Virustotal," Dr Web analyst Igor Zdobnov told Techworld.