Net worm hobbles Linux servers

Insecure Linux servers latest target for Net vandals

An Internet worm cobbled together from generally available hacking tools could swamp infected portions of the Net with its high-bandwidth searches for vulnerable servers, researchers said Wednesday.

Known as the Ramen worm, the self-spreading program appears to have been created by common Internet vandals -- called script kiddies -- and limits itself to infecting Red Hat servers that haven't been secured properly.

"The worm itself seems dangerous due to bandwidth consumption and due to the [unproven] possibility of remotely accessing the compromised box by the worm author," said Mihai Moldovanu, a Romanian network administrator for Radio ProFM Bucharest, who reverse-engineered much of the worm Tuesday. "Once the worm starts scanning, it will consume a large amount of your Internet bandwidth," said the programmer. "The scanning is very fast."

According to Moldovanu, the worm scanned two B-class networks -- about 130,000 Internet addresses -- in less than 15 minutes. As of Wednesday afternoon, the worm continued to spread. The worm exploits several well-known flaws on Linux servers based on the default installation of versions 6.2 and 7.0 of Red Hat's distribution of Linux. "It's a lack of awareness," said Lance Spitzner, coordinator for the Honeynet Project, a group of well-known security experts who study how hackers attack servers. "Not enough people are taking measures to secure the default installations. "Most default installations are insecure," he stressed.

Spitzner, Moldovanu and other security experts on's Incidents mailing list detected the worm earlier this week when they noticed an increase in scans for two common flaws that plague the default installations of most Linux servers. The worm spreads by scanning the Internet for servers based on Red Hat 6.2 or 7.0--identifying the servers by their release dates -- and then attempts to gain access using several methods.

When trying to infect Red Hat 6.2 systems, the worm will use the RPC.statd and wu-FTP flaws, according to an analysis completed by Daniel Martin, a Debian Linux developer. RPC.statd is one of several services that a Linux server can run to offer remote access using a common suite of programs known as remote procedure calls. Washington University's version of the common file server, known as wu-FTP, has a flaw that also allows access.

Both flaws appear in other distributions of Linux, including SuSE, Mandrake and Caldera. But because the worm limits itself to Red Hat servers, those distributions are not affected. Patches for both flaws have been readily available for more than six months.

Red Hat's distribution of Linux accounts for almost 70 percent of all Linux servers on the Web, according to data from Web survey firm The worm attempts to compromise Red Hat 7.0 systems by swamping the error logging function of the server's printer service with data. Known as a buffer overflow, or overrun, such exploits are commonly used in scripts designed by system crackers.

When the Ramen worm gains access, it installs a so-called root kit that patches the security holes and installs special programs that replace common system functions and replace the main page on Web servers with an HTML file claiming: "RameN Crew -- Hackers looooooooooooove noodles."

Finally, the new worm sends an e-mail message to two Web-based accounts, boots up and starts scanning the Internet again. Both Web accounts -- one at Hotmail and one at Yahoo -- seem to have been frozen. "The worm is dangerous in that it is an automated tool that exploits widely known vulnerabilities," said Honeynet's Spitzner. "Since it is automated, it can quickly scan for and exploit vulnerable systems at an exponential rate [that makes] the most dangerous element of this worm bandwidth consumption."

Spitzner also said the worm could have been far more dangerous. "It leaves very easy-to-identify signatures on the compromised system, making it very simple to find. It appears to do little damage to the system itself, only replacing a Web page and creating a small Web instance for self-replication."

Because of Ramen's ability to spread without any human intervention and because it targets servers based on Linux -- a cousin of Unix -- the Ramen worm resembles the Morris worm that used several common flaws to spread in November 1988 through what was then called the Arpanet.

The Morris worm, named after its creator, Cornell University graduate student Robert T Morris, attempted to access Unix servers in three ways: by masquerading as another user and decrypting passwords; by exploiting a flaw in finger -- a service used to locate remote users; and by using a flaw in Sendmail, a common mail server program.

The Morris worm's attempts to spread overloaded the Internet with e-mail and scanning data as the program spread throughout the Net. The Computer Emergency Response Team at Carnegie Mellon -- created in the aftermath of the Morris worm -- is studying the Ramen worm, spokesman Bill Pollock said Wednesday.

By Wednesday afternoon, a CERT representative said the organisation had received "less than five reports" of systems compromised by the worm. Ironically, the Ramen worm could make the Internet more secure, said Honeynet's Spitzner. "It even secures the systems by eliminating the same vulnerabilities it used to exploit the system," he said. "I have seen far more destructive acts than this by the black-hat community."

See a screenshot of Ramen.

You'd think that with the growing number of products and services designed to prevent virus attacks, much of the virus flow would have been stanched by the end of 2000. Martin Goslar says that the reality is quite the opposite. No matter the size of your company, your firm's security depends on adequate protection. Go to AnchorDesk UK for the news comment.

Is your PC safe? Find out at the Hackers News Special

Find out how the open-source movement is revolutionising the high-tech world at the Linux Lounge.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet News forum.

Let the editors know what you think in the Mailroom. And read other letters.