[ISN] Ramen Linux worm mutating, multiplying (fwd)

[Dave Dittrich <dittrich () CAC WASHINGTON EDU>]

Note the story below by Rob Lemos about mutating ramen.

I was curious about this, not having see evidence of it myself, so I'd
like to start a thread of watching and cataloging the mutations using
dates and md5 checksums.

We had a system get infected last night (with the original ramen
worm).  Here is the pertinent data:

% date
Tue Jan 23 10:35:08 PST 2001

% tar -tvzf ../ramen.tgz
-rw-r--r-- root/root       267 2001-01-12 16:47 asp
-rwxr-xr-x root/root     12546 2001-01-11 20:34 asp62
-rwxr-xr-x root/root     14180 2001-01-11 20:58 asp7
-rwxr-xr-x root/root       285 2001-01-13 11:40 bd62.sh
-rwxr-xr-x root/root       213 2001-01-11 20:25 bd7.sh
-rwxr-xr-x root/root       553 2001-01-11 20:26 getip.sh
-rwxr-xr-x root/root        67 2001-01-13 12:34 hackl.sh
-rwxr-xr-x root/root        67 2001-01-13 11:28 hackw.sh
-rwxr-xr-x root/root       373 2001-01-13 11:10 index.html
-rwxr-xr-x root/root     19632 2001-01-13 12:05 l62
-rwxrwxr-x root/root     21358 2001-01-13 13:10 l7
-rwxr-xr-x root/root       210 2001-01-13 11:26 lh.sh
-rwxr-xr-x root/root     12331 2001-01-11 20:34 randb62
-rwxr-xr-x root/root     13973 2001-01-11 20:58 randb7
-rwxr-xr-x root/root     19619 2001-01-13 12:05 s62
-rwxrwxr-x root/root     21721 2001-01-13 13:13 s7
-rwxr-xr-x root/root       216 2001-01-11 20:26 scan.sh
-rwxr-xr-x root/root       434 2001-01-11 20:49 start.sh
-rwxr-xr-x root/root       112 2001-01-13 11:24 start62.sh
-rwxr-xr-x root/root       112 2001-01-13 11:24 start7.sh
-rwxr-xr-x root/root     25888 2001-01-11 20:37 synscan62
-rwxr-xr-x root/root     27076 2001-01-11 20:58 synscan7
-rwxr-xr-x root/root     34620 2001-01-13 12:05 w62
-rwxrwxr-x root/root     36706 2001-01-13 13:13 w7
-rwxr-xr-x root/root        35 2001-01-13 11:27 wh.sh
-rwxr-xr-x root/root     34588 2001-01-11 20:28 wu62

% md5sum *
c5d0472cb7ce21d526092fc265a10f5a  asp
69be0c0b396a2ed31881613cc7dc8da5  asp62
63d9d9049e731704542dd27aa77e39a4  asp7
f9b9bed261853a2f81bb6c6dc543d610  bd62.sh
6aa4cb66d0bf204e440f416c3726c6c1  bd7.sh
43a0a292bf37eaedeaa3559782eef2ae  getip.sh
23e57da4855ae75d0d83166dffd3ae80  hackl.sh
11c70c95a04af1447701a18809f2acf2  hackw.sh
e5fa5577c277231124ef254575af8375  index.html
a2cb325afc434d1199d87ed6ca0325e1  l62
ca778a2cc34a72a24e743d9bc915c11b  l7
e80dbac8519afd944aa69a8e11597ee3  lh.sh
e1b9d3adfdfaa5dc8b93f8bf3aae664d  randb62
06fe14fcdc6dadcd3f78e14121fa7b8c  randb7
4859f502b336a2f18367c94bda7c9bfc  s62
0b7efd40e89c7a684fcf8950eda41a0d  s7
50f3c66c6b72d70e2470b5dd8a1e23c1  scan.sh
71feec726591d84cea09c54743a830c9  start.sh
9145bbbc507a6e96218cadf1468e7291  start62.sh
9145bbbc507a6e96218cadf1468e7291  start7.sh
740f16e83bca92e21e579d3f596508e2  synscan62
e1ba71f6618ea60b52d3d5e77156fc59  synscan7
638a8cab9e68f79ea795cce3d3558305  w62
157461331922d8112b5bc7d33b2067e1  w7
1a2dd28245d6c47b9a279584a7209a21  wh.sh
4e15ddf3cfd4e4ae8d8a87e38757e532  wu62

% cat index.html
<html>
<head><title>Ramen Crew</title></head>
<body bgcolor=white text=black>
<font face=arial>
<center><font size=+3>RameN Crew</font><center><br>
<br>
<br>
<center>Hackers looooooooooooooooove noodles.™


<br><br><br><br><br><br><br><br><br><br><br><br>

<font size=-1><b>This site powered by<b><br>
<img src="http://www.nissinfoods.com/tr_oriental.jpg";>
<body>
</html>


If anyone finds anything different, please note those differences.

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

---------- Forwarded message ----------
Date: Mon, 22 Jan 2001 23:55:12 -0600
Subject: [ISN] Ramen Linux worm mutating, multiplying
From: InfoSec News <isn () C4I ORG>
To: ISN () SECURITYFOCUS COM

http://news.cnet.com/news/0-1003-201-4561189-0.html?tag=st.ne.1002.bgif.sf

By Robert Lemos
Special to CNET News.com
January 22, 2001, 12:50 p.m. PT

Online vandals may have modified the Ramen Linux worm discovered last
week to automatically deface sites with their own Web pages, one
expert said Monday.

"Several (vandal) groups are suddenly switching to Red Hat," said Matt
Dickerson, also known as "Munge," a staff member at security group
Attrition.org. "We think they are modifying the HTML pages in the worm
with their own text and graphics."

He added that when groups switch to an operating system they haven't
historically used--and seemingly know nothing about--that means they
are using a new hacking tool to do their dirty work.

As earlier reported, the Ramen worm is a self-spreading program that
has been cobbled together from several such tools and focuses on
versions 6.2 and 7.0 of Red Hat's Linux operating system. The flaws
exploited by the worm, however, affect other Linux distributions and
some Unix systems as well.

Depending on the version of the operating system it's infecting, Ramen
can use well-known flaws in Washington University's FTP server
software, a component of the Remote Procedure Call services or the
printing software LPrng. These programs are normally placed on servers
during the default installation of Red Hat 6.2 and 7.0.

Patches are available for all the flaws used by the worm.

After the worm finds a vulnerable server, it uses the vulnerability to
copy itself to the server, replace the front Web page with its own,
and then starts scanning for other insecure servers.

Ramen also eliminates the vulnerable programs from the server, thus
protecting itself from other instances of the Ramen worm and other
vandals using the same vulnerabilities.

Last week, NASA, a Taiwanese motherboard maker and Texas A&M
University all got infected by the worm, according to Attrition.org.

After the worm was discovered early last week, the Computer Emergency
Response Team at Carnegie Mellon University released an advisory
describing the workings of the program. For the most part, the worm
can be removed easily from servers.

Several other organizations reportedly have been infected this week,
including U.K.-based localization company Babel Media and the
under-construction Siamstore.com.

Other recent attacks and defacements on Red Hat servers are thought to
be due to a modified version of the worm, even when the trademarked
"RameN Crew" Web page is not displayed.

Data from Attrition.org--the most complete source of hacker data on
the Web--has shown a definite spike in attacks on Red Hat servers in
the past couple of weeks.

It's likely that the increase in activity is due to the worm, said
Attrition's Dickerson.

And more can be expected.

At last count, there were more than 780,000 public servers on the Web
running Red Hat 6.2 and 7.0, according to Web survey firm Netcraft.
Since only 17 percent of Linux servers can be identified with the
methods used by Netcraft, in practice the actual number of vulnerable
servers could easily be in the millions.

With that much growing space, the fear among experts is not that the
current worm will spread but that nastier varieties will attempt to
use the same flaws to gain access to online servers.

"This worm doesn't do anything all that bad," Lance Spitzner,
coordinator with the security group Honeynet Project, said in an
interview last week. "It could be much, much worse."

Spitzner hopes that the worm will make system administrators and
everyday users who have systems on the Internet take another look at
their security.

"If you patched it, Red Hat can be as secure as anyone else," he said.
"But you have to patch."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".