Last month we reported on the story of an extremely rare banking Trojan affecting Linux computers being offered for sale on underground cybercrime forums in Russia. Called the “Hand of Thief” by its designers, the virus purportedly featured backdoor and form grabbing capabilities, as well as the ability to block infected computers from accessing security websites or receiving updates. In addition, it was claimed that the malware ran on fifteen different distributions of Linux – in other words, every Linux user’s worst nightmare.

Except, the above claims have now all been brought into question. The same team of RSA researchers who first spotted the “Hand of Thief” now report that they’ve managed to get hold of the Trojan builder, which allows them to build and test their own version of the malware – and it seems that the supposed Linux-killer malware is not quite all its cracked up to be.

Yotam Gottesman at RSA’s FraudAction Research Labs wrote that, “The Trojan’s executable is a 32-bit compiled ELF, and as such, will only run on 32-bit versions of the Linux OS (running HoT on a 64-bit machine would require some workarounds).”

With regards to the configuration file, the main difference between Hand of Thief and other types of malware is that the builder embeds this file into the binary – which means that the botmaster is required to build a new binary in order to edit the information within it, then update the botnet. The file is quite versatile at least, allowing botmasters to edit the way in which the malware functions, for example by changing the list of blocked URLs infected computers can access.

“This part of the Trojan’s functions was accurately described by its vendor and confirmed by the actual analysis of the builder and config file,” writes Gottesman.

That might sound enticing, but it seems that Hand of Thief fails to live up to its promise of being compatible with 15 different Linux distributions. Gottesman’s team attempted to run the malware on test machines running Ubuntu 12.04 and Fedora 19 with default Chrome and Firefox browsers, but it failed to work as expected. In repeated tests, either the browsers crashed, the malware failed to run due to protection mechanisms within the OS, or the malware filed to grab requests indiscriminately – something that created tons of clutter in the drop server. The researchers added that on one occasion Hand of Theif even popped up with a “greetings” screen inside a terminal of an infected machine, alerting users to that fact – not the most ideal scenario for anyone trying to run a stealthy hacking operation.

Gottesman continues:

“Although it initially appeared to be a compelling new Trojan entrant, RSA’s in-depth analysis of the code proves it is a prototype more than true commercially viable malware, crashing the browsers on the infected machines and displaying overall inability to properly grab data. Furthermore, HoT can also be easily removed from the machine by deleting the files dropped during the HoT installation process.”

In other words, Hand of Thief isn’t even anwhere close to being the deadly threat to Linux users that researchers first thought – perhaps “Amputated Thief” might be a better word for it.