Ramen
Ramen
Type Internet worm
Creator
Date Discovered 2001.01.16
Place of Origin
Source Language Shell Script, others
Platform Linux (Red Hat 6.2, 7.0)
File Type(s) tgz, sh, elf
Infection Length
Reported Costs

Ramen is an Internet worm that runs on Linux and targets Red Hat 6.2 and 7.0 systems. Other Linux distributions are not affected. It has a payload that defaces websites, but also patches the exploits that allowed the worm to spread in the first place, making it both malicious and a helper at the same time. It has been compared in some ways to the Morris worm of 1988.

Behavior

Ramen on the infecting machine contacts random IP addresses and checks their FTP banners to check which version of Red Hat Linux they are running. It exploits the rpc.statd and wuftpd services to gain access to a Red Hat 6.2 system and an LPRng vulnerability to gain access to a 7.0 system. When it finds a vulnerable machine, it sends a specially crafted packet that is executed as code.

When it uses the rpc.statd vulnerability, it injects code into the syslog() function. If a carefully constructed string is sent to this function, it will allow the program to run commands with the same priviliges as rpc.statd (usually root). Exploiting the wuftpd vulnerability, it can gain root access by sending the FTP daemon a series of format characters that will trick the daemon into giving it full access to the system. Similar to the rpc.statd vulnerability, the syslog() function allows specially crafted user- (or worm-) supplied arguments to run arbitrary code as root.

Ramenpage.png
Ramen's defaced "index.html"

When Ramen successfully accesses a system, it creates a hidden directory named "/.poop" in /usr/src. It copies itself to this directory as "ramen.tgz" and extracts its files. The files are:
  • asp
  • asp62
  • asp7
  • bd62.sh
  • bd7.sh
  • getip.sh
  • hackl.sh
  • hackw.sh
  • index.html
  • l62
  • l7
  • lh.sh
  • randb62
  • randb7
  • s62
  • s7
  • scan.sh
  • start62.sh
  • start7.sh
  • start.sh
  • synscan62
  • synscan7
  • w62
  • w7
  • wh.sh
  • wu62

Files with the number "62" in their name will be used when running under Red Hat 6.2, while files with 7 are for Red Hat 7.0.

It runs start.sh, which has root privileges. The worm replaces all web pages named "index.html" with its own page. It also deletes the "hosts.deny" file in /etc. Ramen then checks the version of Linux it is running under, and if the version is Red Hat 6.2 or 7.0, it will be able to run its precompiled binary files. The worm adds itself to the "rc.sysinit" file in /etc/rc.d, which will run the worm when the system starts.

In Red Hat 6.2 it replaces the file "asp" in /sbin with a malicious copy that is responsible for sending ramen.tgz to the potential hosts that it finds. It adds the following line to the file "inetd.conf" in /etc:

asp stream tcp nowait root /sbin/asp

This will open port 27374, which is used by asp. In 7.0, the asp file is located in /usr/sbin. On 7.0 systems, Ramen modifies the file "xinetd.d" in /etc with the following to open port 27374:
  # default: on
  # description: asp server
  #
  service asp
  {
          disable                 = no
          socket_type             = stream
          wait                    = no
          user                    = root
          server                  = /usr/sbin/asp
  }

In 6.2, Ramen removes "rpc.statd" in /sbin and "rpc.rstatd" in /usr/sbin. In 7.0, it replaces "lpd" in /usr/sbin with an empty file. On both versions, it disables anonymous access to the FTP server by adding "ftp" and "anonymous" users to the "ftpusers" file in /etc. After performing these actions, another Ramen worm will be unable to infect the system, and it will make it impossible for crackers to gain access to the system using the vulnerabilities the worm used.

The worm then starts three processes that spread the worm to other systems. It scans for vulnerable hosts on class B subnets, using a tool calles syscan to contact random hosts. It creates two hidden files named .l and .w. The .l file contains the names of systems to attack using the LPRng vulnerability, while .w contains systems to attack using the wu-ftp and rpc.statd vulnerabilities. If a vulnerable host is found, it sends a copy of itself.

Every time the worm infects a new computer, it sends a notification email to three address:

  • the address of the infected machine
  • gb31337@hotmail.com
  • gb31337@yahoo.com

The subject of these emails is the IP address of the infected machine. The message body contains the text "Eat Your Ramen!".

Effects

A Cert Representative said that he had received less than five reports of the worm by the next Wednesday of the attack. Some websites hit later include some run by NASA, Texas A&M University and Taiwanese computer hardware manufacturer Supermicro.

Name

Ramen gets its name obviously from the website-defacing payload. It is signed by the "RameN Crew", a group or person that has yet to be identified or to create another self-replicating program.

Antivirus Aliases

  • Avast: ELF:Malware
  • Avira: Linux/Ramen.11.F virus
  • BitDefender: Worm.Linux.Ramen
  • ClamAV: Worm.Linux.Ramen
  • Doctor Web: Linux.Ramen
  • Eset: Ramen
  • F-Prot: Unix/Hijak.A (exact)
  • F-Secure: Ramen
  • Grisoft: Linux/Ramen.F
  • Kaspersky: Net-Worm.Linux.Ramen, Worm.Linux.Ramen
  • McAfee: Linux/Ramen.worm
  • Panda: Lion
  • Ravantivirus: Worm:Linux/Ramen
  • Sophos: Linux/Ramen-A
  • Symantec: Linux.Ramen.Worm
  • Trend Micro: ELF_RAMEN.10

Other Facts

Ramen contains routines intended to attack SuSE Linux and FreeBSD machines. For reasons not yet entirely certain, these routines are never used. At the time, Red Hat accounted for around 70% of all Linux servers on the net. Also at this time, there were around 50 malicious programs for Linux, and Ramen is one of the first worms. Adm predates it by two years.

Sources

Katrin Tocheva, Sami Rautiainen. F-Secure Antivirus, F-Secure Virus Descriptions : Ramen 2001.01-02

Kaspersky Labs. SecureList.com, Net-Worm.Linux.Ramen. 2001.01.22

US Department of Energy. CIAC, L-040: The Ramen Worm. 2001.02.02

Patrick Martin, Eric Chien. Symantec Security Response, "Linux.Ramen.Worm"

John Leyden. The Register, Linux worm nobbles Nasa Web site. 2001.01.25

Robert Lemos. ZDNet News, "Net worm hobbles Linux servers". 2001.01.16

CERT, Vulnerability Note VU#34043

CERT, CERT® Advisory CA-2000-13 Two Input Validation Problems In FTPD. 2000.07.07-11.21

CERT, Vulnerability Note VU#382365

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License