Beware 'Fedora-Redhat' Fake Security Alert
rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.
I am downloading the file to a Knoppix box, and will then disconnect the ethernet cord, run the code, and report back.
Stay tuned.
It seems to me that most people using any version of Linux will not fall victim to these sorts of things. I would expect something like this to work for the majority of windows users, but as the audience of Linux is mostly tech-savy, I can't see this becoming a problem. The problem is going to be when larger groups of desktop users make the jump to Linux. What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
From shc's manpage:
Definitly doing something then, at least viewing the parent post.
Beyond those obvious problems, the "best" targets of something like this (businesses) would have people who know better than this. Those people would know how a patch file would work. At miniumum the "./inst" section should say "make install", which is much more common. So this would only effect the "newbie" Linux user. Last of all, I would expect that anything RedHat issued would say something like "or get the update through Red Carpet (or whatever their 'Windows Update' is called)".
This isn't a very well made forgery. They could have easily taken a true RedHat advisory and modified it so the language would be better and sound more plausable. They could have at LEAST gotten someone who knows English better.
Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that. Use any domain name and make it look like a mirror. When was the last time any company put a file for users at "(domainname).com/file.tar.gz"? Never.
Most people could have done better, IMHO.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Yes, but when this kind of thing happened on Windows, it was Windows' fault for not having the proper security mechanisms to stop it. The difference is that Windows will set up all users as administrators, true, but running as a plain user can be very bad too. The fact is, neither of the OSes provides (by default, at least) substantial protection from such attacks.
.NET have program/assembly-based security systems. But although the technology exists, it is very poorly handled, at least in the .NET front where I am experienced: There is no simple wizard to set up settings the way you want them, there is no popup dialog asking you how much you trust this executable and which permissions it should get. Such technology could go a long way in preventing such ridiculously simple attacks from succeeding in the future.
,the *real* reasons for Windows' pathetic security record would be no more. Never mind those vulnerabilities: I could give you a .exe that would delete all your documents, and you have but to click on it (I swear it decrypts HL2 from the Steam files :-) The same, of course, applies to Linux.
Allowing only registered executables to run could be set up to prevent such things. Microsoft signs their patches and programs too, but no regular user will ever check.
Incorporate such functions in the OS or GUI. Harass the user whenever an executable or shared library is introduced to the system: "Here are the certifications, do you trust this?"
Limiting permissions up to the user level is not enough anymore: VM based environments such as Java and
First time I saw a similar feature was in Kerio Personal Firewall, which would ask everytime a new program would attempt to connect somewhere, or have something connect to a port it opened. It was simple and effective, and the 'harassment' was more than worth it (SP2 does something similar, but it's flawed*).
In conclusion. I want to say that I believe if all people had:
1) Startup Monitor - Painfully simple, no one should be without it.
2) Kerio Personal Firewall, or equivalent
3) An executable monitor as described above.
* SP2 tells you when an executable tries to connect, and waits for you to decide if you want to block it, but it *does* allow the connection to work until you decide what to do with it. Furthermore, I'm not sure if it can tell if an executable was replaced with a compromised version (Kerio has MD5 hashes)
Whoever is behind this certainly seems to be doing a very sloppy job of it. Yahoo, Melbourne IT, Stanford, hosting at "everyone.net"; hardly a who's who of dodgy companies and "bullet proof" service providers, is it? Frankly, I'm expecting to be reading a Slashdot story about a bust by the end of the week, and that's being generous.
UNIX? They're not even circumcised! Savages!
And allowing only registered executables to run is a bad thing. Who should decide?
On my computer, I should decide, and the registration dealie should provide me with the information I need to make the decision.
The two parts of Microsoft's weird DRM thing I disagree with (with regards to running executables) are that the key is inaccessible to me, stashed somewhere in the BIOS, and that Microsoft is the one who decides what is safe and what isn't.
Like what I said? You might like my music
Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.
Malike Bamiyi wanted my assistance.