Vandals mutate Ramen Linux worm

After infecting NASA and Texas A&M University last week, the worm is making its move on Linux servers abroad, as vandals use the program to post digital graffiti

Online vandals may have modified the Ramen Linux worm discovered last week to automatically deface sites with their own Web pages, one expert said Monday.

"Several [vandal] groups are suddenly switching to Red Hat," said Matt Dickerson, also known as "Munge", a staff member at security group Attrition.org. "We think they are modifying the HTML pages in the worm with their own text and graphics."

He added that when groups switch to an operating system they haven't historically used -- and seemingly know nothing about -- that means they are using a new hacking tool to do their dirty work.

As earlier reported, the Ramen worm is a self-spreading program that has been cobbled together from several such tools and focuses on versions 6.2 and 7.0 of Red Hat's Linux operating system. The flaws exploited by the worm, however, affect other Linux distributions and some Unix systems as well.

Depending on the version of the operating system it's infecting, Ramen can use well-known flaws in Washington University's FTP server software, a component of the Remote Procedure Call services or the printing software LPrng. These programs are normally placed on servers during the default installation of Red Hat 6.2 and 7.0.

Patches are available for all the flaws used by the worm.

After the worm finds a vulnerable server, it uses the vulnerability to copy itself to the server, replace the front Web page with its own, and then starts scanning for other insecure servers.

Ramen also eliminates the vulnerable programs from the server, thus protecting itself from other instances of the Ramen worm and other vandals using the same vulnerabilities.

Last week, NASA, a Taiwanese motherboard maker and Texas A&M University all got infected by the worm, according to Attrition.org.

After the worm was discovered early last week, the Computer Emergency Response Team at Carnegie Mellon University released an advisory describing the workings of the program. For the most part, the worm can be removed easily from servers.

Several other organizations reportedly have been infected this week, including UK-based localisation company Babel Media and the under-construction Siamstore.com.

Other recent attacks and defacements on Red Hat servers are thought to be due to a modified version of the worm, even when the trademarked "RameN Crew" Web page is not displayed.

Data from Attrition.org -- the most complete source of hacker data on the Web -- has shown a definite spike in attacks on Red Hat servers in the past couple of weeks.

It's likely that the increase in activity is due to the worm, said Attrition's Dickerson.

And more can be expected.

At last count, there were more than 780,000 public servers on the Web running Red Hat 6.2 and 7.0, according to Web survey firm Netcraft. Since only 17 percent of Linux servers can be identified with the methods used by Netcraft, in practice the actual number of vulnerable servers could easily be in the millions.

With that much growing space, the fear among experts is not that the current worm will spread but that nastier varieties will attempt to use the same flaws to gain access to online servers.

"This worm doesn't do anything all that bad," Lance Spitzner, coordinator with the security group Honeynet Project, said in an interview last week. "It could be much, much worse."

Spitzner hopes that the worm will make system administrators and everyday users who have systems on the Internet take another look at their security.

"If you patched it, Red Hat can be as secure as anyone else," he said. "But you have to patch."

Take me to the Virus Workshop

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All