TUCoPS :: Malware :: ciacl040.htm

The Ramen Worm
The Ramen Worm Privacy and Legal Notice


L-040: The Ramen Worm

February 2, 2001 21:00 GMT

PROBLEM: A Linux worm named 'Ramen' has been detected in the wild. CIAC has had reports of compromised systems and numerous scans.
PLATFORM: Redhat Linux 6.2 and 7.0
DAMAGE: Ramen automatically attacks all vulnerable systems it can find. Intruders can gain root access to vulnerable systems.
SOLUTION: This worm exploits known vulnerabilities in wu-ftpd, LPRng, and rpc.statd. These services should be patched immediately. Patches are available from Red Hat.

The risk is HIGH - The worm is in the wild and is being actively used to exploit vulnerable systems.

CIAC, CERT, and others are receiving reports of systems compromised by the Ramen Worm. The worm is in the wild and performs fully automated breakins to vulnerable systems. As it is fully automated, it continues to attack systems until all running copies are found and stopped. Rebooting systems does not stop the worm as it installs code to automatically restart itself after a reboot.

The binaries contained in the worm are specific to Linux 6.2 and 7.0. However, someone with access to the source code for the binaries could recompile them under other versions of UNIX to attack other platforms. As far as we know, the source code for the binaries is not yet in the wild.

The worm operates by exploiting known vulnerabilities in wu-ftp, LPRng, and rpc.statd. Patches for these vulnerabilities have been available for many months. Information about the worm and links to patches for these services are available from RedHat at:


See also CIAC bulletins:

K-054: Vulnerability in Linux wu-ftpd
June 26, 2000

K-069: Input Validation Problem in rpc.statd
August 21, 2000

L-025: LPRng Format String Vulnerability
December 13, 2000

And the CERT Incident Note:

CERTŪ Incident Note IN-2001-01
Widespread Compromises via "ramen" Toolkit
January 18, 2001


The Ramen worm is a completely automated worm that attacks random systems using exploits of three known vulnerabilities:

The worm is distributed as an archive named ramen.tgz, which contains a mixture of executable binaries and shell scripts. The binaries perform the scanning and attacks while the scripts provide the automation. There is no built-in mechanism for stopping the attacks after they have been started.

When a machine is compromised by any of these vulnerabilities, the attacking program creates the directory /usr/src/.poop. The program then uses lynx to connect back to the attacking machine via the asp port (27374) and and get a copy of ramen.tgz which it places in the /usr/src/.poop directory. The ramen.tgz file is unzipped, untared, and the script start.sh is run.

The start.sh script first looks for and replaces any default web pages it finds on the system with the ramen web page. That page is named "Ramen Crew" and contains the text:

RameN Crew
Hackers looooooooooooooooove noodles.

This site powered by
and the image: http://www.nissinfoods.com/tr_oriental.jpg

Note that this image is no longer available on the indicated server.

Start.sh removes hosts.deny and determines the IP address and network interface of the compromised system. It then tests to see if the system is Linux 6.2 or 7.0 and then renames the appropriate tools for the architecture it finds. Start.sh next replaces the rc.sysinit file with a batch file that starts up ramen again in case the system is rebooted. You must remove or replace this file before rebooting to make the ramen scanner stop.


In Linux 6.2 start.sh replaces the file /sbin/asp with a Trojaned copy of asp that pushes out a copy of ramen.tgz to whomever connects to it. It then writes the following entry to the end of the inetd.conf file and restarts inetd to open the asp port (27374) to the /sbin/asp program.

asp stream tcp nowait root /sbin/asp


In Linux 7, start.sh replaces /usr/sbin/asp with the Trojaned copy of asp and then replaces /etc/xinetd.d with the following text to open the asp port (27374):

   # default: on
        # description: asp server
        service asp
                disable                 = no
                socket_type             = stream
                wait                    = no
                user                    = root
                server                  = /usr/sbin/asp

Finally, it proceeds to patch the hole that let it in by deleting /sbin/rpc.statd and /usr/sbin/rpc.rstatd in Linux 6.2 and /usr/sbin/lpd in LINUX 7. In both cases it adds the ftp and anonymous users to the /etc/ftpusers file to close the ftp hole.

At this point, start.sh has finished compromising the system and starts an attack script to compromise other systems. The attack script first randomly picks a class b network and starts a scanner named synscan to locate potentially vulnerable systems. When a potential victum is found, its address is placed in a hidden file named .l or .w. Whenever the address of a new victum is placed in one of these files, the attack program gets the address and attacks it. The .l file contains systems to attack with the LPRng attack and the .w file contains systems to attack with the wu-ftp and rpc.statd attacks. Whenever one of these three attacks is successful, the process starts again on the compromised system.


Compromised systems are easily detected by the open asp port (27374). Any system with this port open or any traffic to or from this port should be considered suspect. Connecting to this port with a web browser should give you back the ramen.tgz archive. The only clear text in the archive is "ramen.tar" near the beginning. Note that the open port number and the name of the archive could easily be changed in variants of this worm. Compromised systems should also have the directory /usr/src/.poop containing the contents of the ramen archive. Default web pages showing the RameN Crew web page are also compromised.


To remove ramen from a compromised system, do the following:


Remove/replace these files:

anywhere on the system.
or /usr/sbin/rpc.rstatd

Remove the following line from the end of /etc/inetd.conf:

asp stream tcp nowait root /sbin/asp

Remove "ftp" and "anonymous" from /etc/ftpusers


Remove/replace these files:

anywhere on the system.

Remove "ftp" and "anonymous" from /etc/ftpusers

At this point, you should reboot your system and patch the services that allowed the compromise to occur.


We are already hearing of variants to this worm. Changing the attack programs would be difficult because the source code for the attack programs is not distributed with the worm. Thus, moving the worm to a different platform would not be easy. Changing the shell scripts to do other things while the worm is running would be relatively simple to do.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH