Weblog:   Linux Users: Welcome to the World of Malware
Subject:   Multiple trojan variants, but same story
Date:   2004-11-03 14:26:14
From:   RickMoen
This is just a follow-up in case people were wondering what I was talking about, in referring to the trojan being distributed from a shell account at Stanford U.: I was speaking of the instance of this code I came across, a bit over a week ago, discussed on a user group thread (note followup discussion). After itemising some of the obvious tip-offs, I advised the Stanford security office, and got the file removed and the patsy user informed of his account's compromise.


Researching news stories on this matter since my earlier posting here, I learned that another instance of the same idiot-bait trojan had been briefly offered from phony domain "fedora-redhat.com".


Additional tips that I failed to mention, last time:



  • The "alert" e-mail was in very brain-dead Microsoft-tinged HTML. Real RH security alerts are in GPG-signed ASCII.
  • The e-mail was also in very badly botched English. None of the real ones are.
  • The e-mail referred to the company as "RedHat". All of the real alerts correctly refer to it as Red Hat (Inc.).
  • The bogus distribution site referred to was claimed to be a "Fedora mirror site", but wasn't on the Fedora mirror list.


So, to reiterate, we of the Linux community would be at least a tiny bit sympathetic to new users who killed their systems on account of a clever forgery -- even though the sympathy would be tinged with pity that we would try to conceal, over the ineptitude entailed in short-circuiting all the measures in place to protect even the hapless -- but neither variant of this trojan was even clever.


Hey, even a TiVo (which is likewise a Linux computer, in case our feckless columnist doesn't realise that) can be shot in the foot by any sufficiently inept owner: Break into its root account and install some rootkit, and it's in trouble. But that would be willfully stupid on an epic scale -- same as with the discussed trojan.


Best Regards,
Rick Moen
rick@linuxmafia.com