RedHat Linux Targeted by Hackers - Microsoft Windows

This is a discussion on RedHat Linux Targeted by Hackers - Microsoft Windows ; | Trojan Horse Poses As RedHat Linux Update | Sun Jan 11,11:00 PM ET | | | Gregg Keizer, TechWeb News | | A new Swen-style Trojan horse posing as a critical update from RedHat has | been detected on ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: RedHat Linux Targeted by Hackers

  1. RedHat Linux Targeted by Hackers

    | Trojan Horse Poses As RedHat Linux Update
    | Sun Jan 11,11:00 PM ET
    |
    |
    | Gregg Keizer, TechWeb News
    |
    | A new Swen-style Trojan horse posing as a critical update from RedHat has
    | been detected on the Internet, and users who open the e-mail message may
    | find their machines loaded with a back-door Trojan that can steal
    | passwords or be used in conjunction with other systems to conduct major
    | denial-of-service (DoS) attacks.
    |
    |
    | Dubbed Trojan.Xombe (as in zombie) by most security firms, the Trojan
    | shares some characteristics of the Swen worm family in that it masquerades
    | as a message from RedHat and purports to carry a security update in its
    | file attachment. However, unlike Swen--a worm which first appeared last
    | September--Trojan.Xombe doesn't self-replicate.
    |
    |
    | "This Trojan was spammed out to a large number of computers overnight,"
    | said Ken Dunham, the director of malicious code at iDefense, a Reston,
    | Va.-based security intelligence firm. By using spamming strategies,
    | attackers hope to infect hundreds, even thousands, of machines before
    | users realize what's up, or anti-virus companies can react with updated
    | definition files.
    |
    |
    | The faux message, which sports a spoofed sending address of
    | linuxupdate@RedHat.com, uses the subject line 'RedHat Linux Service Pack 1
    | (Express)--Critical Update' to trick recipients into opening the attached
    | file.
    |
    |
    | "Linux Update has determined that you are running a beta version of Linux
    | Service Pack 1 (SP1)," the message's text reads in part. "To help improve
    | the stability of your computer, RedHat recommends that you remove the beta
    | version of Linux SP1 and re-install Linux SP1." The message goes on to
    | urge the user to run the Linux_sp1.rpm file attachment to re-install SP1,
    | and recommends that install the update as ROOT otherwise it "may interfere
    | with the installation."
    |
    |
    | Lies. All lies.
    |
    |
    | "The Trojan definitely downloads malicious code and installs it on the
    | system," confirmed Dunham. By his analysis, Trojan.Xombe downloads a back-
    | door IRC Trojan horse to the compromised machine. Once that's installed,
    | attackers can access the PC undetected, add other code to the computer--
    | such as key trackers for acquiring passwords--and use the machine to
    | launch DoS attacks on other machines.
    |
    |
    | Trojan.Xombe, and socially engineered attacks like it--including phishing
    | expeditions such as the MiMail worm, another exploit that pretends to be
    | something it isn't in the hope that people will open the file attachment--
    | are the confirmation security professionals were looking for that 2004
    | will be a rough, rocky year.
    |
    |
    | "Attackers use the social engineering trends of the moment," said Vincent
    | Weaver, senior director of Symantec's security response center. Touting a
    | security update is only natural for hackers, he added, what with the
    | increased awareness of many computer users of ongoing security issues with
    | Linux.
    |
    |
    | Trojan.Xombe is also a good example of another trend first spotted in
    | 2003, but certain to continue this year, said Dunham.
    |
    |
    | "Trojans are being integrated into almost every piece of malicious code,"
    | he said. More than anything, hackers today want to amass an army of
    | compromised machines--typically called zombies--that they can then use for
    | other purposes.
    |
    |
    | "A lot of people are worried about the next super worm," he said, "but
    | that's not the real threat we'll see in 2004. The real threat is in Trojan
    | horses. The goal of attackers is really about Trojans and remote control
    | of other computers, for stealing passwords and targeted DoS attacks. It's
    | not about fun and notoriety anymore. It's about money and power."
    |
    |
    | Security firms, including Symantec, Network Associates, and Sophos, have
    | posted alerts on their Web sites warning users of Trojan.Xombe, but
    | disagree on the severity of the problem. Symantec, for instance, currently
    | ranks the Trojan as a level '2' threat in its 1 through 5 rating system,
    | while Network Associates tags Xombe with a 'low' threat assessment.
    |
    |
    | The best defense against bogus e-mails carrying nasty payloads? "A lot of
    | people see an e-mail and think that it's true," said Dunham. "But
    | everything should be looked at with a degree of skepticism and concern,
    | rather than trust."
    |
    |
    | Symantec's Weaver also reminded users that RedHat never delivers security
    | updates via e-mail, and urged people to scan suspicious messages for tell-
    | tale signs of a scam, such as misspelled words and awkward syntax, both of
    | which are evident in the message loaded with Trojan.Xombe.
    |
    |
    |
    |


  2. Re: RedHat Linux Targeted by Hackers

    This is a fake and the article's been doctored. Here's the link to the
    legitimate article.

    http://www.techweb.com/wire/story/TWB20040109S0009

    See also

    http://securityresponse.symantec.com...jan.xombe.html


    linuxupdate@redhat.com wrote:

    > | Trojan Horse Poses As RedHat Linux Update
    > | Sun Jan 11,11:00 PM ET
    > |
    > |
    > | Gregg Keizer, TechWeb News
    > |
    > | A new Swen-style Trojan horse posing as a critical update from RedHat
    > | has been detected on the Internet, and users who open the e-mail message
    > | may find their machines loaded with a back-door Trojan that can steal
    > | passwords or be used in conjunction with other systems to conduct major
    > | denial-of-service (DoS) attacks.
    > |
    > |
    > | Dubbed Trojan.Xombe (as in zombie) by most security firms, the Trojan
    > | shares some characteristics of the Swen worm family in that it
    > | masquerades as a message from RedHat and purports to carry a security
    > | update in its file attachment. However, unlike Swen--a worm which first
    > | appeared last September--Trojan.Xombe doesn't self-replicate.
    > |
    > |
    > | "This Trojan was spammed out to a large number of computers overnight,"
    > | said Ken Dunham, the director of malicious code at iDefense, a Reston,
    > | Va.-based security intelligence firm. By using spamming strategies,
    > | attackers hope to infect hundreds, even thousands, of machines before
    > | users realize what's up, or anti-virus companies can react with updated
    > | definition files.
    > |
    > |
    > | The faux message, which sports a spoofed sending address of
    > | linuxupdate@RedHat.com, uses the subject line 'RedHat Linux Service Pack
    > | 1 (Express)--Critical Update' to trick recipients into opening the
    > | attached file.
    > |
    > |
    > | "Linux Update has determined that you are running a beta version of
    > | Linux Service Pack 1 (SP1)," the message's text reads in part. "To help
    > | improve the stability of your computer, RedHat recommends that you
    > | remove the beta version of Linux SP1 and re-install Linux SP1." The
    > | message goes on to urge the user to run the Linux_sp1.rpm file
    > | attachment to re-install SP1, and recommends that install the update as
    > | ROOT otherwise it "may interfere with the installation."
    > |
    > |
    > | Lies. All lies.
    > |
    > |
    > | "The Trojan definitely downloads malicious code and installs it on the
    > | system," confirmed Dunham. By his analysis, Trojan.Xombe downloads a
    > | back- door IRC Trojan horse to the compromised machine. Once that's
    > | installed, attackers can access the PC undetected, add other code to the
    > | computer-- such as key trackers for acquiring passwords--and use the
    > | machine to launch DoS attacks on other machines.
    > |
    > |
    > | Trojan.Xombe, and socially engineered attacks like it--including
    > | phishing expeditions such as the MiMail worm, another exploit that
    > | pretends to be something it isn't in the hope that people will open the
    > | file attachment-- are the confirmation security professionals were
    > | looking for that 2004 will be a rough, rocky year.
    > |
    > |
    > | "Attackers use the social engineering trends of the moment," said
    > | Vincent Weaver, senior director of Symantec's security response center.
    > | Touting a security update is only natural for hackers, he added, what
    > | with the increased awareness of many computer users of ongoing security
    > | issues with Linux.
    > |
    > |
    > | Trojan.Xombe is also a good example of another trend first spotted in
    > | 2003, but certain to continue this year, said Dunham.
    > |
    > |
    > | "Trojans are being integrated into almost every piece of malicious
    > | code," he said. More than anything, hackers today want to amass an army
    > | of compromised machines--typically called zombies--that they can then
    > | use for other purposes.
    > |
    > |
    > | "A lot of people are worried about the next super worm," he said, "but
    > | that's not the real threat we'll see in 2004. The real threat is in
    > | Trojan horses. The goal of attackers is really about Trojans and remote
    > | control of other computers, for stealing passwords and targeted DoS
    > | attacks. It's not about fun and notoriety anymore. It's about money and
    > | power."
    > |
    > |
    > | Security firms, including Symantec, Network Associates, and Sophos, have
    > | posted alerts on their Web sites warning users of Trojan.Xombe, but
    > | disagree on the severity of the problem. Symantec, for instance,
    > | currently ranks the Trojan as a level '2' threat in its 1 through 5
    > | rating system, while Network Associates tags Xombe with a 'low' threat
    > | assessment.
    > |
    > |
    > | The best defense against bogus e-mails carrying nasty payloads? "A lot
    > | of people see an e-mail and think that it's true," said Dunham. "But
    > | everything should be looked at with a degree of skepticism and concern,
    > | rather than trust."
    > |
    > |
    > | Symantec's Weaver also reminded users that RedHat never delivers
    > | security updates via e-mail, and urged people to scan suspicious
    > | messages for tell- tale signs of a scam, such as misspelled words and
    > | awkward syntax, both of which are evident in the message loaded with
    > | Trojan.Xombe.
    > |
    > |
    > |
    > |



+ Reply to Thread