Ramen worm

The ramen worm (English ramen worm , also incorrectly called ramen virus ) was a computer worm that was in circulation in January 2001. It only infected versions 6.2 and 7.0 of Red Hat Linux .

Attack method

The worm looked for vulnerable versions of the rpc.statd and wu-ftpd services on Red Hat version 6.2 systems . On version 7.0 of the system, he was looking for vulnerable versions of the LPRng print service. All three services shared the same format string vulnerability.

Dissemination strategy

A rudimentary HTTP server was started on infected systems and bound to port 27374. The worm then randomly generated class B IP addresses and tried to establish a connection on port 21 ( FTP ). Using an adapted version of the syscan software , he used the FTP banner to check whether the Linux distribution Red Hat version 6.2 or 7.0 was running on the target system. If so, the worm tried to infect the target system.

The vulnerabilities that were exploited were known problems that were corrected in updated versions of the corresponding packages. Systems with all the security updates installed were therefore not vulnerable to the worm.

Payload

As soon as a computer was infected, the security hole (through which the worm could penetrate) was closed. A rootkit was then automatically installed to hide the worm's activities. The system's identity was then sent to an email address built into the worm's source code . The ramen worm replaced all HTML files named "index.html" with a modified version called "RameN Crew", which had the following content:

original	German translation
RameN crew	RameN group
Hackers looooooooooooooooove noodles.	Hacker liiiiiiiiiiiiiiieben noodles.

This site powered by	This site is supported by

This included a picture of a pack of ramen noodles from the address www.nissinfoods.com/tr_oriental.jpg. (The image is no longer available at the address , but a copy can still be viewed in the Wayback Machine .)

distance

The malware can be removed from infected systems with the following steps:

Disabling the potentially vulnerable services
Delete the files /usr/src/.poop and / sbin / asp
Delete all references from /etc/rc.d/rc.sysinit and /etc/inetd.conf to the files /etc/src/.poop. and / sbin / asp
Applying patches for the affected services
Reboot the system

Individual evidence

↑ SANS: Malware FAQ: LPRng Format String Vulnerability and related exploits . The SANS Institute. Archived from the original on May 27, 2010. Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved February 8, 2010. @1@ 2

↑ Embedded image ( Memento from October 2, 2000 in the Internet Archive )

↑ advise71 . Internet Security Systems, Inc .. Archived from the original on November 16, 2010. Information: The archive link was automatically inserted and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved February 8, 2010. @1@ 2

Web links

heise online : Linux worm is obviously spreading rapidly
Ramen Worm Attacks Red Hat Linux Machines (English)
Computer Emergency Response Team : CERT Incident Note IN-2001-01 (English)

[1] SANS: Malware FAQ: LPRng Format String Vulnerability and related exploits . The SANS Institute. Archived from the original on May 27, 2010. Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved February 8, 2010. @1@ 2

[2] Embedded image ( Memento from October 2, 2000 in the Internet Archive )

[3] vise71 . Internet Security Systems, Inc .. Archived from the original on November 16, 2010. Information: The archive link was automatically inserted and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. Retrieved February 8, 2010. @1@ 2