I received this alert from TrendMicro this morning and it is the first I have seen so people beware, especially RH users;

ELF_FAKEPATCH.A

is an executable that runs on Linux. ELF refers to Executable and Link Format, which is the well-documented and available file format for Linux/UNIX executables. It arrives via email, and retrieves network configuration and system information. The information is saved in the file "mama" , and
sent to a specific email address.
The email it sends is designed to trick users into believing it is a legitimate email sent by the RedHat Security Team, regarding critical security patches that must be downloaded. The email includes links to downloadable files, and encourages the recipients to click the links to download the patches.
When one of the specific files mentioned in the email is downloaded, the following files are found:

Inst.c source code of this malware
Makefile used to compile inst.c

When this Elf executable is already compiled, it produces the shell code that retrieves information from a machine. The shell code first checks whether it is executed in the root level. If not, it displays the following line in a console:
This patch must be applied as root; and you are: %User% (Note: %User% is the currently logged on user)
Afterward, it adds a user named "bash" with a null password and creates the file "mama" inside the temporary folder. It then obtains network configuration and system information, and saves it in the file mama. Next, it sends this file to the email address root@addlebrain.com. It then deletes the file from the system and starts SSHD (Secure Shell Server). Note: A Secure Shell Server provides secure encrypted communications between untrusted hosts over an untrusted network. It allows users to connect to a system from another system via TCP/IP, and obtain a shell prompt, from which they can issue commands and view output.

you'd have to be pretty stupid to download something, compile it, chmod +x it, then not only that but run it as root without knowing what it is you're getting!

I wouldn't say stupid but gulable. How many times does this occur to Windows users? Probably most current nix users wouldn't be taken in but as the system becomes more commonly used the less techno minded might well be taken by this

Yesterday I contacted the admin of addlebrain.com and I have today received the following reply which I find very pleasing and responsible;

Rob,

I sincerely appreciate your email, as you're the first person to make
me aware of this issue.

Addlebrain.com provides free email service, which is provided and
maintained by Everyone.net. They were made aware of this issue
earlier, and terminated the account.

Thanks again for bringing this to my attention!

Best Regards,
John Thompson


-----Original Message-----
From:
Sent: Saturday, November 06, 2004 3:17 AM
To: technical@storeiq.com
Subject: Malware distribution from your e-mail server

Hi

I thought I would let you know that an e-mail account holder of yours is using
his account for actioning Linux malware.
The following advisory was sent out by TrendMicro today;

ELF_FAKEPATCH.A

is an executable that runs on Linux. ELF refers to Executable and Link Format,
which is the well-documented and available file format for Linux/UNIX
executables. It arrives via email, and retrieves network configuration and
system information. The information is saved in the file "mama" , and
sent to a specific email address.
The email it sends is designed to trick users into believing it is a
legitimate email sent by the RedHat Security Team, regarding critical
security patches that must be downloaded. The email includes links to
downloadable files, and encourages the recipients to click the links to
download the patches.
When one of the specific files mentioned in the email is downloaded, the
following files are found:

Inst.c source code of this malware
Makefile used to compile inst.c

When this Elf executable is already compiled, it produces the shell code that
retrieves information from a machine. The shell code first checks whether it
is executed in the root level. If not, it displays the following line in a
console:
This patch must be applied as root; and you are: %User% (Note: %User% is the
currently logged on user)
Afterward, it adds a user named "bash" with a null password and creates the
file "mama" inside the temporary folder. It then obtains network
configuration and system information, and saves it in the file mama. Next, it
sends this file to the email address root@addlebrain.com. It then deletes the
file from the system and starts SSHD (Secure Shell Server). Note: A Secure
Shell Server provides secure encrypted communications between untrusted hosts
over an untrusted network. It allows users to connect to a system from
another system via TCP/IP, and obtain a shell prompt, from which they can
issue commands and view output.

I am sure that all Linux users would be grateful if you terminated this
account immediately.

Regards,

Rob