Linux worm uses its noodle
Kevin Poulsen, SecurityFocus 2001-01-17

'Ramen' targets known security holes in Red Hat 6.2 and 7.0.

An Internet worm cobbled together from pre-existing scripts is spreading rapidly through Red Hat Linux systems, leaving in its wake a trail of defaced web pages touting the virtues of oriental noodles. The so-called 'Ramen' worm is a bulky, but effective, collection of hacking tools rolled up into a package. A modified scanning program searches broad swaths of the Internet for Red Hat Linux versions 6.2 and 7.0 installations. The scanner then launches attacks against those machines with publicly available exploits of three known vulnerabilities and spreads into each crackable box. On Red Hat 6.2 systems, the worm exploits vulnerabilities in wu-ftpd and rpc.statd. On version 7.0, it attacks LPRng. Detailed information on fixing all three holes can be found in SecurityFocus's vulnerability database (see insert).

	VULNERABILITIES Wu-Ftpd Remote Format String Stack Overwrite Vulnerability Multiple Linux Vendor rpc.statd Remote Format String Vulnerability Multiple Vendor LPRng User-Supplied Format String Vulnerability INCIDENTS LIST Ramen analysis OPINION GARFINKLE: Prepare for a Linux plague

The worm's strategy is not dissimilar to that employed by the 1988 Morris worm, the most successful self-propelled contagion to date. But unlike the Morris worm, on every system Ramen penetrates it promptly kills the service that allowed it to break in -- thus preventing the kind of multiple infection that caused the Morris worm to grind infected computers into seizure. But while the Morris worm was an academic exercise gone horribly wrong, Ramen serves a decidedly sophomoric end: On every web server it infects, it replaces the main web page with the message "Hackers looooooooooooove noodles," signed by the "RameN Crew."

       

Expand all | Post comment