Red Hat hit by security-update email scam

By Matt Whipp

Posted on 25 Oct 2004 at 12:49

Red Hat is warning users that an email purporting to be a security update may contain malicious code.

The email - which began appearing last Friday - uses a security@redhat.com address in the from field and the subject line 'RedHat: "Buffer Overflow in 'ls' and 'mkdir'". However it does not use Red Hat's digital signature and has nothing to do with the company.

The email urges the recipient to download and install a patch from the Internet. But it is likely that whatever code the email links to will do more harm than good.

Mark Cox, Red Hat Security Response Team, said: 'Red Hat has been made aware that emails are circulating that pretend to come from the Red Hat Security Team. These emails tell users to download and install malicious updates. These trojan updates contain malicious code designed to compromise the systems they are run on. Official messages from the Red Hat security team are never sent unsolicited, are always sent from the address secalert@redhat.com and are digitally signed by GPG. In addition, all updates for Red Hat products are digitally signed and should not be installed unless the signature is verified. For more details see www.redhat.com/security/team/key.html'

The ruse has been successfully used against Windows users in the past, when for example last March Sober.D attempted to dupe victims into opening an attachment by suggesting it was an official patch from Microsoft to clean up MyDoom infections.