Ramen Linux worm mutating, multiplying

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-201-4561189-0.html?tag=st.ne.1002.bgif.sf

By Robert Lemos
Special to CNET News.com
January 22, 2001, 12:50 p.m. PT

Online vandals may have modified the Ramen Linux worm discovered last
week to automatically deface sites with their own Web pages, one
expert said Monday.

"Several (vandal) groups are suddenly switching to Red Hat," said Matt
Dickerson, also known as "Munge," a staff member at security group
Attrition.org. "We think they are modifying the HTML pages in the worm
with their own text and graphics."

He added that when groups switch to an operating system they haven't
historically used--and seemingly know nothing about--that means they
are using a new hacking tool to do their dirty work.

As earlier reported, the Ramen worm is a self-spreading program that
has been cobbled together from several such tools and focuses on
versions 6.2 and 7.0 of Red Hat's Linux operating system. The flaws
exploited by the worm, however, affect other Linux distributions and
some Unix systems as well.

Depending on the version of the operating system it's infecting, Ramen
can use well-known flaws in Washington University's FTP server
software, a component of the Remote Procedure Call services or the
printing software LPrng. These programs are normally placed on servers
during the default installation of Red Hat 6.2 and 7.0.

Patches are available for all the flaws used by the worm.

After the worm finds a vulnerable server, it uses the vulnerability to
copy itself to the server, replace the front Web page with its own,
and then starts scanning for other insecure servers.

Ramen also eliminates the vulnerable programs from the server, thus
protecting itself from other instances of the Ramen worm and other
vandals using the same vulnerabilities.

Last week, NASA, a Taiwanese motherboard maker and Texas A&M
University all got infected by the worm, according to Attrition.org.

After the worm was discovered early last week, the Computer Emergency
Response Team at Carnegie Mellon University released an advisory
describing the workings of the program. For the most part, the worm
can be removed easily from servers.

Several other organizations reportedly have been infected this week,
including U.K.-based localization company Babel Media and the
under-construction Siamstore.com.

Other recent attacks and defacements on Red Hat servers are thought to
be due to a modified version of the worm, even when the trademarked
"RameN Crew" Web page is not displayed.

Data from Attrition.org--the most complete source of hacker data on
the Web--has shown a definite spike in attacks on Red Hat servers in
the past couple of weeks.

It's likely that the increase in activity is due to the worm, said
Attrition's Dickerson.

And more can be expected.

At last count, there were more than 780,000 public servers on the Web
running Red Hat 6.2 and 7.0, according to Web survey firm Netcraft.
Since only 17 percent of Linux servers can be identified with the
methods used by Netcraft, in practice the actual number of vulnerable
servers could easily be in the millions.

With that much growing space, the fear among experts is not that the
current worm will spread but that nastier varieties will attempt to
use the same flaws to gain access to online servers.

"This worm doesn't do anything all that bad," Lance Spitzner,
coordinator with the security group Honeynet Project, said in an
interview last week. "It could be much, much worse."

Spitzner hopes that the worm will make system administrators and
everyday users who have systems on the Internet take another look at
their security.

"If you patched it, Red Hat can be as secure as anyone else," he said.
"But you have to patch."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".