__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
The Ramen Worm
February 2, 2001 21:00 GMT Number L-040
_____________________________________________________________________________
PROBLEM: A Linux worm named 'Ramen' has been detected in the wild. CIAC
has had reports of compromised systems and numerous scans.
PLATFORM: Redhat Linux 6.2 and 7.0
DAMAGE: Ramen automatically attacks all vulnerable systems it can
find. Intruders can gain root access to vulnerable systems.
SOLUTION: This worm exploits known vulnerabilities in wu-ftpd, LPRng,
and rpc.statd. These services should be patched immediately.
Patches are available from Red Hat.
_____________________________________________________________________________
_
VULNERABILITY The risk is HIGH - The worm is in the wild and is being
ASSESSMENT: actively used to exploit vulnerable systems.
_____________________________________________________________________________
_
CIAC, CERT, and others are receiving reports of systems compromised by the
Ramen Worm. The worm is in the wild and performs fully automated breakins to
vulnerable systems. As it is fully automated, it continues to attack systems
until all running copies are found and stopped. Rebooting systems does not
stop the worm as it installs code to automatically restart itself after a
reboot.
The binaries contained in the worm are specific to Linux 6.2 and 7.0.
However, someone with access to the source code for the binaries could
recompile them under other versions of UNIX to attack other platforms. As far
as we know, the source code for the binaries is not yet in the wild.
The worm operates by exploiting known vulnerabilities in wu-ftp, LPRng, and
rpc.statd. Patches for these vulnerabilities have been available for many
months. Information about the worm and links to patches for these services
are available from RedHat at:
http://www.redhat.com/support/alerts/ramen_worm.html
See also CIAC bulletins:
K-054: Vulnerability in Linux wu-ftpd
June 26, 2000
http://www.ciac.org/ciac/bulletins/k-054.shtml
K-069: Input Validation Problem in rpc.statd
August 21, 2000
http://www.ciac.org/ciac/bulletins/k-069.shtml
L-025: LPRng Format String Vulnerability
December 13, 2000
http://www.ciac.org/ciac/bulletins/l-025.shtml
And the CERT Incident Note:
CERT® Incident Note IN-2001-01
Widespread Compromises via "ramen" Toolkit
January 18, 2001
http://www.cert.org/incident_notes/IN-2001-01.html
OPERATION
=========
The Ramen worm is a completely automated worm that attacks random systems
using exploits of three known vulnerabilities:
wu-ftp
LPRng
rpc.statd
The worm is distributed as an archive named ramen.tgz, which contains a
mixture of executable binaries and shell scripts. The binaries perform the
scanning and attacks while the scripts provide the automation. There is no
built-in mechanism for stopping the attacks after they have been started.
When a machine is compromised by any of these vulnerabilities, the attacking
program creates the directory /usr/src/.poop. The program then uses lynx to
connect back to the attacking machine via the asp port (27374) and and get a
copy of ramen.tgz which it places in the /usr/src/.poop directory. The
ramen.tgz file is unzipped, untared, and the script start.sh is run.
The start.sh script first looks for and replaces any default web pages it
finds on the system with the ramen web page. That page is named "Ramen Crew"
and contains the text:
RameN Crew
Hackers looooooooooooooooove noodles.
This site powered by
and the image: http://www.nissinfoods.com/tr_oriental.jpg
Note that this image is no longer available on the indicated server.
Start.sh removes hosts.deny and determines the IP address and network
interface of the compromised system. It then tests to see if the system is
Linux 6.2 or 7.0 and then renames the appropriate tools for the architecture
it finds. Start.sh next replaces the rc.sysinit file with a batch file that
starts up ramen again in case the system is rebooted. You must remove or
replace this file before rebooting to make the ramen scanner stop.
LINUX 6.2
=========
In Linux 6.2 start.sh replaces the file /sbin/asp with a Trojaned copy of asp
that pushes out a copy of ramen.tgz to whomever connects to it. It then
writes the following entry to the end of the inetd.conf file and restarts
inetd to open the asp port (27374) to the /sbin/asp program.
asp stream tcp nowait root /sbin/asp
LINUX 7
=======
In Linux 7, start.sh replaces /usr/sbin/asp with the Trojaned copy of asp and
then replaces /etc/xinetd.d with the following text to open the asp port
(27374):
# default: on
# description: asp server
#
service asp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/asp
}
Finally, it proceeds to patch the hole that let it in by deleting
/sbin/rpc.statd and /usr/sbin/rpc.rstatd in Linux 6.2 and /usr/sbin/lpd in
LINUX 7. In both cases it adds the ftp and anonymous users to the
/etc/ftpusers file to close the ftp hole.
At this point, start.sh has finished compromising the system and starts an
attack script to compromise other systems. The attack script first randomly
picks a class b network and starts a scanner named synscan to locate
potentially vulnerable systems. When a potential victum is found, its address
is placed in a hidden file named .l or .w. Whenever the address of a new
victum is placed in one of these files, the attack program gets the address
and attacks it. The .l file contains systems to attack with the LPRng attack
and the .w file contains systems to attack with the wu-ftp and rpc.statd
attacks. Whenever one of these three attacks is successful, the process
starts again on the compromised system.
DETECTING COMPROMISES
=====================
Compromised systems are easily detected by the open asp port (27374). Any
system with this port open or any traffic to or from this port should be
considered suspect. Connecting to this port with a web browser should give
you back the ramen.tgz archive. The only clear text in the archive is
"ramen.tar" near the beginning. Note that the open port number and the name
of the archive could easily be changed in variants of this worm. Compromised
systems should also have the directory /usr/src/.poop containing the contents
of the ramen archive. Default web pages showing the RameN Crew web page are
also compromised.
CLEANING UP
===========
To remove ramen from a compromised system, do the following:
LINUX 6.2
---------
Remove/replace these files:
/usr/src/.poop
index.html anywhere on the system.
/etc/rc.d/rc.sysinit
/sbin/asp
/sbin/rpc.statd or /usr/sbin/rpc.rstatd
/tmp/ramen.tgz
Remove the following line from the end of /etc/inetd.conf:
asp stream tcp nowait root /sbin/asp
Remove "ftp" and "anonymous" from /etc/ftpusers
LINUX 7
-------
Remove/replace these files:
/usr/src/.poop
index.html anywhere on the system.
/usr/sbin/asp
/etc/xinetd.d
/usr/sbin/lpd
/tmp/ramen.tgz
Remove "ftp" and "anonymous" from /etc/ftpusers
At this point, you should reboot your system and patch the services that
allowed the compromise to occur.
VARIANTS
========
We are already hearing of variants to this worm. Changing the attack programs
would be difficult because the source code for the attack programs is not
distributed with the worm. Thus, moving the worm to a different platform
would not be easy. Changing the shell scripts to do other things while the
worm is running would be relatively simple to do.
____________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-030: Four Vulnerabilities in ISC Bind
L-031: Sun AnswerBook2 Vulnerability
L-032: Class Loading Vulnerability in Sun Java (TM) Runtime Environment
L-033: Sun Java Web Server Vulnerability
L-034: HP Security Vulnerability in man(1) Command
L-035: HP-UX Support Tools Manager Vulnerability
L-036: FreeBSD procfs Vulnerabilities
L-037: FreeBSD periodic Uses Insecure Temporary Files
L-038: FreeBSD inetd ident Server Vulnerability
L-039: FreeBSD sort Uses Insecure Temporary Files