This is just a follow-up in case people were wondering what I was talking about, in referring to the trojan being distributed from a shell account at Stanford U.: I was speaking of the instance of this code I came across, a bit over a week ago, discussed on a user group thread (note followup discussion). After itemising some of the obvious tip-offs, I advised the Stanford security office, and got the file removed and the patsy user informed of his account's compromise.
Researching news stories on this matter since my earlier posting here, I learned that another instance of the same idiot-bait trojan had been briefly offered from phony domain "fedora-redhat.com".
Additional tips that I failed to mention, last time:
- The "alert" e-mail was in very brain-dead Microsoft-tinged HTML. Real RH security alerts are in GPG-signed ASCII.
- The e-mail was also in very badly botched English. None of the real ones are.
- The e-mail referred to the company as "RedHat". All of the real alerts correctly refer to it as Red Hat (Inc.).
- The bogus distribution site referred to was claimed to be a "Fedora mirror site", but wasn't on the Fedora mirror list.
So, to reiterate, we of the Linux community would be at least a tiny bit sympathetic to new users who killed their systems on account of a clever forgery -- even though the sympathy would be tinged with pity that we would try to conceal, over the ineptitude entailed in short-circuiting all the measures in place to protect even the hapless -- but neither variant of this trojan was even clever.
Hey, even a TiVo (which is likewise a Linux computer, in case our feckless columnist doesn't realise that) can be shot in the foot by any sufficiently inept owner: Break into its root account and install some rootkit, and it's in trouble. But that would be willfully stupid on an epic scale -- same as with the discussed trojan.