LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-06-2004, 01:54 AM   #1
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Linux malware on the go


I received this alert from TrendMicro this morning and it is the first I have seen so people beware, especially RH users;

ELF_FAKEPATCH.A

is an executable that runs on Linux. ELF refers to Executable and Link Format, which is the well-documented and available file format for Linux/UNIX executables. It arrives via email, and retrieves network configuration and system information. The information is saved in the file "mama" , and
sent to a specific email address.
The email it sends is designed to trick users into believing it is a legitimate email sent by the RedHat Security Team, regarding critical security patches that must be downloaded. The email includes links to downloadable files, and encourages the recipients to click the links to download the patches.
When one of the specific files mentioned in the email is downloaded, the following files are found:

Inst.c source code of this malware
Makefile used to compile inst.c

When this Elf executable is already compiled, it produces the shell code that retrieves information from a machine. The shell code first checks whether it is executed in the root level. If not, it displays the following line in a console:
This patch must be applied as root; and you are: %User% (Note: %User% is the currently logged on user)
Afterward, it adds a user named "bash" with a null password and creates the file "mama" inside the temporary folder. It then obtains network configuration and system information, and saves it in the file mama. Next, it sends this file to the email address root@addlebrain.com. It then deletes the file from the system and starts SSHD (Secure Shell Server). Note: A Secure Shell Server provides secure encrypted communications between untrusted hosts over an untrusted network. It allows users to connect to a system from another system via TCP/IP, and obtain a shell prompt, from which they can issue commands and view output.
 
Old 11-06-2004, 02:31 AM   #2
ror
Member
 
Registered: May 2004
Distribution: Ubuntu
Posts: 583

Rep: Reputation: 33
you'd have to be pretty stupid to download something, compile it, chmod +x it, then not only that but run it as root without knowing what it is you're getting!
 
Old 11-06-2004, 03:07 AM   #3
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Original Poster
Rep: Reputation: 49
I wouldn't say stupid but gulable. How many times does this occur to Windows users? Probably most current nix users wouldn't be taken in but as the system becomes more commonly used the less techno minded might well be taken by this
 
Old 11-07-2004, 02:31 AM   #4
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Original Poster
Rep: Reputation: 49
Yesterday I contacted the admin of addlebrain.com and I have today received the following reply which I find very pleasing and responsible;

Rob,

I sincerely appreciate your email, as you're the first person to make
me aware of this issue.

Addlebrain.com provides free email service, which is provided and
maintained by Everyone.net. They were made aware of this issue
earlier, and terminated the account.

Thanks again for bringing this to my attention!

Best Regards,
John Thompson


-----Original Message-----
From:
Sent: Saturday, November 06, 2004 3:17 AM
To: technical@storeiq.com
Subject: Malware distribution from your e-mail server

Hi

I thought I would let you know that an e-mail account holder of yours is using
his account for actioning Linux malware.
The following advisory was sent out by TrendMicro today;

ELF_FAKEPATCH.A

is an executable that runs on Linux. ELF refers to Executable and Link Format,
which is the well-documented and available file format for Linux/UNIX
executables. It arrives via email, and retrieves network configuration and
system information. The information is saved in the file "mama" , and
sent to a specific email address.
The email it sends is designed to trick users into believing it is a
legitimate email sent by the RedHat Security Team, regarding critical
security patches that must be downloaded. The email includes links to
downloadable files, and encourages the recipients to click the links to
download the patches.
When one of the specific files mentioned in the email is downloaded, the
following files are found:

Inst.c source code of this malware
Makefile used to compile inst.c

When this Elf executable is already compiled, it produces the shell code that
retrieves information from a machine. The shell code first checks whether it
is executed in the root level. If not, it displays the following line in a
console:
This patch must be applied as root; and you are: %User% (Note: %User% is the
currently logged on user)
Afterward, it adds a user named "bash" with a null password and creates the
file "mama" inside the temporary folder. It then obtains network
configuration and system information, and saves it in the file mama. Next, it
sends this file to the email address root@addlebrain.com. It then deletes the
file from the system and starts SSHD (Secure Shell Server). Note: A Secure
Shell Server provides secure encrypted communications between untrusted hosts
over an untrusted network. It allows users to connect to a system from
another system via TCP/IP, and obtain a shell prompt, from which they can
issue commands and view output.

I am sure that all Linux users would be grateful if you terminated this
account immediately.

Regards,

Rob
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Spyware / Malware Threats? carlosinfl Linux - Security 5 11-24-2005 08:57 AM
Can linux/bsd firewall block malware? hottdogg General 1 11-19-2005 12:49 AM
The ultimate solution for Windows malware? Lim45 General 2 07-24-2005 11:27 AM
Spyware/Malware Content filtering? Kaashar Linux - Security 16 03-31-2005 10:06 PM
PHP/phpBB Malware/Scanning tool Capt_Caveman Linux - Security 1 03-27-2005 12:28 PM


All times are GMT -5. The time now is 07:37 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration