Linux Users Targeted by Password-Stealing 'Wirenet' Trojan
Technical details of Wirenet.1's operation and technique for spreading are sparse for now, but the company reports that the backdoor program targets browser passwords for Opera, Firefox, Chrome, Chromium, and as well as applications such as Thunderbird, SeaMonkey, Pidgin.
Under Linux it copies itself to the ~ / WIFIADAPT directory before attempting to connect to a command and control server hosted at 220.127.116.11 using an AES encrypted channel. That at least offers a simple way of blocking communication and any further payloads.
Dr Web made a name for itself earlier this year reporting on the infamous Flashback Trojan that hit Mac users on an unprecedented scale.
It's not clear whether Wirenet's cross-platform capabilities extend to targeting Windows systems but it is possible that avoiding Microsoft's OS is a way of keeping off the radar of security firms.
Cross platform malware is rare but not unheard of, the usual technique being to hook into Java in search of victims using OS X.
Malware specifically designed to steal credentials from Linux systems is almost unheard of but might, on the basis of this new discovery, become a little less so in future.
"We do not have explicit evidence that it uses Java. To my knowledge it does not. This file was received from Virustotal," Dr Web analyst Igor Zdobnov told Techworld.