Yesterday I contacted the admin of addlebrain.com and I have today received the following reply which I find very pleasing and responsible;
Rob,
I sincerely appreciate your email, as you're the first person to make
me aware of this issue.
Addlebrain.com provides free email service, which is provided and
maintained by Everyone.net. They were made aware of this issue
earlier, and terminated the account.
Thanks again for bringing this to my attention!
Best Regards,
John Thompson
-----Original Message-----
From:
Sent: Saturday, November 06, 2004 3:17 AM
To:
technical@storeiq.com
Subject: Malware distribution from your e-mail server
Hi
I thought I would let you know that an e-mail account holder of yours is using
his account for actioning Linux malware.
The following advisory was sent out by TrendMicro today;
ELF_FAKEPATCH.A
is an executable that runs on Linux. ELF refers to Executable and Link Format,
which is the well-documented and available file format for Linux/UNIX
executables. It arrives via email, and retrieves network configuration and
system information. The information is saved in the file "mama" , and
sent to a specific email address.
The email it sends is designed to trick users into believing it is a
legitimate email sent by the RedHat Security Team, regarding critical
security patches that must be downloaded. The email includes links to
downloadable files, and encourages the recipients to click the links to
download the patches.
When one of the specific files mentioned in the email is downloaded, the
following files are found:
Inst.c source code of this malware
Makefile used to compile inst.c
When this Elf executable is already compiled, it produces the shell code that
retrieves information from a machine. The shell code first checks whether it
is executed in the root level. If not, it displays the following line in a
console:
This patch must be applied as root; and you are: %User% (Note: %User% is the
currently logged on user)
Afterward, it adds a user named "bash" with a null password and creates the
file "mama" inside the temporary folder. It then obtains network
configuration and system information, and saves it in the file mama. Next, it
sends this file to the email address
root@addlebrain.com. It then deletes the
file from the system and starts SSHD (Secure Shell Server). Note: A Secure
Shell Server provides secure encrypted communications between untrusted hosts
over an untrusted network. It allows users to connect to a system from
another system via TCP/IP, and obtain a shell prompt, from which they can
issue commands and view output.
I am sure that all Linux users would be grateful if you terminated this
account immediately.
Regards,
Rob