October 28, 2004

Red Hat email scam: Hard target or harbinger for Linux?

Author: Jay Lyman

Linux devotees like to talk about the operating system and its various
distributions as pretty much invulnerable to the kind of virus, worm, and
trojan attacks perpetrated against Windows. The recent Red Hat Linux email scam
does not refute this idea, but it does highlight the change in threat that
comes along with a growing and changed Linux user universe, which now
includes newbies and others who just might fall for an amateur phishing scam
or other trick.

In fact, security experts such as Bastille Linux Project lead
developer and Intelguardians
consultant Jay Beale, indicate there probably were some Red Hat Linux users
who fell for the bogus Fedora "patch" pitch, despite its apparent amateur
assembly and total divergence from Red Hat's normal procedure for its
distributions.

Bad English helped give scam away

"I think there probably were a few takers," Beale said, pointing to the
simplistic, clever email that nonetheless contained tipoffs such as
inaccurate English.

Still, Beale said the email -- reportedly formatted in Windows and mailed to non-Linux
users -- did contain a bogus link for the supposed patch that was not far
off the mark. The Linux phishing expedition compelled users to "download
the patch from the Security RedHat mirror:
"www.fedora-redhat.com/fileutils-1.0.6patch." The actual update site --
RedHat normally automatically updates via RPMs as opposed to patching -- has
an address of: http://www.download.fedora.com/.

"It wasn't amazingly far off," Beale said of the bogus site that held
trojan updates for victims.

Much of the bogus email from the unreal "RedHat Security Team" had other
tell-tale tipoffs of a fake: not the auto update for which most users rely
on AutoUpdate
or Yum, or other utility
to accomplish RPM downloads.

But even with all of those alerts for a much more technically savvy user
set, the phishing scam likely netted some new Linux users as well as more
advanced and experienced devotees who are not used to having their chains
yanked in a Windows way.

"This particular phishing scam was badly done," Beale said. "But if
they'd been more elegant, perhaps gotten the English translation better,
they probably would've gotten more people."

More attacks on Linux may be in offing

While the embarrassment of getting hooked by such a script-kiddie con may
be harsher than divulging data or having one's open source-powered machine
compromised, Beale said there are likely more attacks and attack victims
coming to Linux.

"Part of it is just awareness, even among experienced users," Beale said.

The security expert indicated that despite a better ability to defend
Linux, which is also more robust than Windows, users are likely to get
dumber as the attackers get smarter.

"As we get more and more mainstream users, they're going to be less
savvy," Beale said. "At the same time, it's naïve to say we won't see this
[type of attack] get better. You will see [attacks] on Linux, they're just a
lot harder to pull off, a lot harder to get right and the bang for the buck
is much smaller [than with Windows]."

Beale does not envision Linux suffering from the same kind of onslaught
that has resulted from the tight integration among programs and functions in
Windows. However, he said the changes in user population and attack
opportunity will bring more fire on popular Linux distributions.

"I think as we get more mainstream users in the community and as these
scams get better, they're likely to nab more people," Beale said.

iDefense director of malicious code intelligence Ken Dunham agreed,
adding that although the Red Hat phishing scheme was a low-level threat,
users of Linux may be turning into a more likely target.

User base changes, as do threats

"The user group has changed," Dunham said. "You now have a Windows-like
interface for people [with Linux distributions]. As we see the user base
change, so do the threats."

Dunham, who said the illicit link in the Fedora fake was taken offline
before it could compromise many users anyway, signaled the change in the
security landscape for Linux is happening slowly. He also referred to the
significant difference in security between a fully patched Unix box and a
fully patched Windows machine.

"If [Linux] becomes as widespread and popular as Windows, it might start
to change things," Dunham said. "That's just not the case today."

Category:

  • Security
Click Here!