Weblog:   Linux Users: Welcome to the World of Malware
Subject:   Acute disappointment
Date:   2004-11-03 13:13:52
From:   RickMoen
I'm woefully disappointed by this article, having come here in expectation that it would meet O'Reilly's generally high standards and allow me to learn something new on the subject. Instead, I find a piece that I can only hope reflects profound and embarrassing ignorance.

  • The e-mail purported to be from Red Hat's Security Team, yet it wasn't GPG-signed. All such alerts are GPG-signed.
  • It purported to be a company security alert, but wasn't on the alerts mailing list. All RH alerts go to that list.
  • It purported to direct users to the Stanford University Red Hat mirror -- yet the cited directory wasn't that mirror, but rather (very obviously) the shell account tree of some individual. (It turned out to be, predictably, a compromised account, after I alerted Stanford Security to the problem and they immediately removed the file, hours after this scame was launched.) All RH security packages are issued from the company's official updates directories.
  • Leaving aside the obvious dodginess of expecting people to believe that Red Hat would issue security updates from unrelated university servers, let alone some individual's shell account on that server.
  • The file pointed to wasn't GPG-signed, either. All RH security packages are GPG-signed.
  • The file pointed to wasn't an RPM. (It was a tarball of a shell-script trojan, rendered into C-code format using Francisco Rosales's Generic Script Compiler in an effort to obscure its purpose.) All RH security packages are issued as RPMs.

In order for some gullible Linux user to be fooled by this, he would not only have had to ignored all of those extremely blatant warning signs, but also have retrieved the tarball, unpacked it, figured out (from the Makefile) without a README that he had to do "make inst" (because the miscreant botched the Makefile, omitting any default "make" target) then become the root user, and last type "./inst" to "apply the patch" [sic].

So, you're assumping a Linux user who's simultaneously sophisticated enough to download badly bungled source-code tarballs and compile them, and also mind-bogglingly stupid enough to run flagrantly untrustworthy code from an unverified source with root-user authority. This probably describes the empty set.

We of the Linux community are well aware that epic levels of stupidity do occur, and are prepared to help such users by saying "Wow, that's a really big hole you just shot in your foot. Would you like to learn how to aim elsewhere, next time? We're glad to teach you."

Meanwhile, an alleged security expert claiming this is something new and shows that Linux users must newly "be suspicious of any e-mail they receive" is either extremely ignorant or is shading the truth. I'll be polite and assume ignorance.

Mr. Gralla, not a single one of the 123 MUAs available for Linux can run escalate to root authority by itself. Not a single one unpacks and builds dodgy malware from source by itself, su's to root, and runs it with root authority. To the best of my ability to tell, not one of the 123 even saves received files with the executable bit set. If any ever did -- even the last of those -- the community would have at the author with the Clue-by-Four of Enlightenment until he fixed it or the entire world knew that the software was reckless as, well, Outlook Express or Internet Explorer, and thus to be eschewed by all.

O'Reilly can surely do better than this.

Best Regards,
Rick Moen