|
|
February 2, 2001 21:00 GMT
| PROBLEM: | A Linux worm named 'Ramen' has been detected in the wild. CIAC has had reports of compromised systems and numerous scans. |
| PLATFORM: | Redhat Linux 6.2 and 7.0 |
| DAMAGE: | Ramen automatically attacks all vulnerable systems it can find. Intruders can gain root access to vulnerable systems. |
| SOLUTION: | This worm exploits known vulnerabilities in wu-ftpd, LPRng, and rpc.statd. These services should be patched immediately. Patches are available from Red Hat. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH - The worm is in the wild and is being actively used to exploit vulnerable systems. |
CIAC, CERT, and others are receiving reports of systems compromised by the Ramen Worm. The worm is in the wild and performs fully automated breakins to vulnerable systems. As it is fully automated, it continues to attack systems until all running copies are found and stopped. Rebooting systems does not stop the worm as it installs code to automatically restart itself after a reboot.
The binaries contained in the worm are specific to Linux 6.2 and 7.0. However, someone with access to the source code for the binaries could recompile them under other versions of UNIX to attack other platforms. As far as we know, the source code for the binaries is not yet in the wild.
The worm operates by exploiting known vulnerabilities in wu-ftp, LPRng, and rpc.statd. Patches for these vulnerabilities have been available for many months. Information about the worm and links to patches for these services are available from RedHat at:
See also CIAC bulletins:
K-054: Vulnerability in Linux wu-ftpd
June 26, 2000
http://www.ciac.org/ciac/bulletins/k-054.shtml
K-069: Input Validation Problem in rpc.statd
August 21, 2000
http://www.ciac.org/ciac/bulletins/k-069.shtml
L-025: LPRng Format String Vulnerability
December 13, 2000
http://www.ciac.org/ciac/bulletins/l-025.shtml
And the CERT Incident Note:
CERTŪ Incident Note IN-2001-01
Widespread Compromises via "ramen" Toolkit
January 18, 2001
http://www.cert.org/incident_notes/IN-2001-01.html
The Ramen worm is a completely automated worm that attacks random systems using exploits of three known vulnerabilities:
The worm is distributed as an archive named ramen.tgz, which contains a
mixture of executable binaries and shell scripts. The binaries perform the scanning and
attacks while the scripts provide the automation. There is no built-in mechanism for
stopping the attacks after they have been started.
When a machine is compromised by any of these vulnerabilities, the attacking program
creates the directory /usr/src/.poop. The program then uses lynx
to connect back to the attacking machine via the asp port (27374) and and get a copy of ramen.tgz
which it places in the /usr/src/.poop directory. The ramen.tgz
file is unzipped, untared, and the script start.sh is run.
The start.sh script first looks for and replaces any default web pages it
finds on the system with the ramen web page. That page is named "Ramen Crew" and
contains the text:
RameN Crew
Hackers looooooooooooooooove noodles.
This site powered byand the image:
http://www.nissinfoods.com/tr_oriental.jpg
Note that this image is no longer available on the indicated server.
Start.sh removes hosts.deny and determines the IP address and
network interface of the compromised system. It then tests to see if the system is Linux
6.2 or 7.0 and then renames the appropriate tools for the architecture it finds. Start.sh
next replaces the rc.sysinit file with a batch file that starts up ramen
again in case the system is rebooted. You must remove or replace this file before
rebooting to make the ramen scanner stop.
In Linux 6.2 start.sh replaces the file /sbin/asp with a
Trojaned copy of asp that pushes out a copy of ramen.tgz to whomever connects
to it. It then writes the following entry to the end of the inetd.conf file
and restarts inetd to open the asp port (27374) to the /sbin/asp
program.
asp stream tcp nowait root /sbin/asp
In Linux 7, start.sh replaces /usr/sbin/asp with the Trojaned copy of asp
and then replaces /etc/xinetd.d with the following text to open the asp port
(27374):
# default: on
# description: asp server
#
service asp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/asp
}
Finally, it proceeds to patch the hole that let it in by deleting /sbin/rpc.statd
and /usr/sbin/rpc.rstatd in Linux 6.2 and /usr/sbin/lpd in LINUX
7. In both cases it adds the ftp and anonymous users to the /etc/ftpusers
file to close the ftp hole.
At this point, start.sh has finished compromising the system and starts an
attack script to compromise other systems. The attack script first randomly picks a class
b network and starts a scanner named synscan to locate potentially vulnerable
systems. When a potential victum is found, its address is placed in a hidden file named .l
or .w. Whenever the address of a new victum is placed in one of these files,
the attack program gets the address and attacks it. The .l file contains
systems to attack with the LPRng attack and the .w file contains systems to
attack with the wu-ftp and rpc.statd attacks. Whenever one of these three attacks is
successful, the process starts again on the compromised system.
Compromised systems are easily detected by the open asp port (27374). Any system with
this port open or any traffic to or from this port should be considered suspect.
Connecting to this port with a web browser should give you back the ramen.tgz
archive. The only clear text in the archive is "ramen.tar" near the beginning.
Note that the open port number and the name of the archive could easily be changed in
variants of this worm. Compromised systems should also have the directory /usr/src/.poop
containing the contents of the ramen archive. Default web pages showing the RameN Crew web
page are also compromised.
To remove ramen from a compromised system, do the following:
Remove/replace these files:
/usr/src/.poop
index.html anywhere on the system.or
/etc/rc.d/rc.sysinit
/sbin/asp
/sbin/rpc.statd/usr/sbin/rpc.rstatd
/tmp/ramen.tgzRemove the following line from the end of
/etc/inetd.conf:
asp stream tcp nowait root /sbin/asp
Remove "ftp" and "anonymous" from
/etc/ftpusers
Remove/replace these files:
/usr/src/.poop
index.html
anywhere on the system.
/usr/sbin/asp
/etc/xinetd.d
/usr/sbin/lpd
/tmp/ramen.tgz
Remove "ftp" and "anonymous" from
/etc/ftpusers
At this point, you should reboot your system and patch the services that allowed the compromise to occur.
We are already hearing of variants to this worm. Changing the attack programs would be difficult because the source code for the attack programs is not distributed with the worm. Thus, moving the worm to a different platform would not be easy. Changing the shell scripts to do other things while the worm is running would be relatively simple to do.
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov
(same machine -- either one will work)
Anonymous FTP: ftp.ciac.org
ciac.llnl.gov
(same machine -- either one will work)