Want CNET to notify you of price drops and the latest stories?

Internet worm squirms into Linux servers

An Internet worm built from available hacking tools could swamp infected portions of the Net with high-bandwidth searches for vulnerable servers.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
An Internet worm cobbled together from generally available hacking tools could swamp infected portions of the Net with its high-bandwidth searches for vulnerable servers, researchers said Wednesday.

Known as the Ramen worm, the self-spreading program appears to have been created by common Internet vandals--called script kiddies--and limits itself to infecting Red Hat servers that haven't been secured properly.

"The worm itself seems dangerous due to bandwidth consumption and due to the (unproven) possibility of remotely accessing the compromised box by the worm author," said Mihai Moldovanu, a Romanian network administrator for Radio ProFM Bucharest, who reverse-engineered much of the worm Tuesday.

"Once the worm starts scanning, it will consume a large amount of your Internet bandwidth," said the programmer. "The scanning is very fast."

According to Moldovanu, the worm scanned two B-class networks--about 130,000 Internet addresses--in less than 15 minutes. As of Wednesday afternoon, the worm continued to spread.

Lax security to blame
The worm exploits several well-known flaws on Linux servers based on the default installation of versions 6.2 and 7.0 of Red Hat's distribution of Linux.

"It's a lack of awareness," said Lance Spitzner, coordinator for the Honeynet Project, a group of well-known security experts who study how hackers attack servers. "Not enough people are taking measures to secure the default installations.

"Most default installations are insecure," he stressed.

Spitzner, Moldovanu and other security experts on SecurityFocus.com's Incidents mailing list detected the worm earlier this week when they noticed an increase in scans for two common flaws that plague the default installations of most Linux servers.

The worm spreads by scanning the Internet for servers based on Red Hat 6.2 or 7.0--identifying the servers by their release dates--and then attempts to gain access using several methods.

Different attacks for different Hats
When trying to infect Red Hat 6.2 systems, the worm will use the RPC.statd and wu-FTP flaws, according to an analysis completed by Daniel Martin, a Debian Linux developer. RPC.statd is one of several services that a Linux server can run to offer remote access using a common suite of programs known as remote procedure calls. Washington University's version of the common file server, known as wu-FTP, has a flaw that also allows access.

Both flaws appear in other distributions of Linux, including SuSE, Mandrake and Caldera. But because the worm limits itself to Red Hat servers, those distributions are not affected. Patches for both flaws have been readily available for more than six months.

Red Hat's distribution of Linux accounts for almost 70 percent of all Linux servers on the Web, according to data from Web survey firm NetCraft.com.

The worm attempts to compromise Red Hat 7.0 systems by swamping the error logging function of the server's printer service with data. Known as a buffer overflow, or overrun, such exploits are commonly used in scripts designed by system crackers.

When the Ramen worm gains access, it installs a so-called root kit that patches the security holes and installs special programs that replace common system functions and replace the main page on Web servers with an HTML file claiming: "RameN Crew -- Hackers looooooooooooove noodles."

Finally, the new worm sends an e-mail message to two Web-based accounts, boots up and starts scanning the Internet again. Both Web accounts--one at Hotmail and one at Yahoo--seem to have been frozen.

"The worm is dangerous in that it is an automated tool that exploits widely known vulnerabilities," said Honeynet's Spitzner. "Since it is automated, it can quickly scan for and exploit vulnerable systems at an exponential rate (that makes) the most dangerous element of this worm bandwidth consumption."

Spitzner also said the worm could have been far more dangerous. "It leaves very easy-to-identify signatures on the compromised system, making it very simple to find. It appears to do little damage to the system itself, only replacing a Web page and creating a small Web instance for self-replication."

Flashback: 1988
Because of Ramen's ability to spread without any human intervention and because it targets servers based on Linux--a cousin of Unix--the Ramen worm resembles the Morris worm that used several common flaws to spread in November 1988 through what was then called the ARPAnet.

The Morris worm, named after its creator, Cornell University graduate student Robert T. Morris, attempted to access Unix servers in three ways: by masquerading as another user and decrypting passwords; by exploiting a flaw in finger--a service used to locate remote users; and by using a flaw in Sendmail, a common mail server program.

The Morris worm's attempts to spread overloaded the Internet with e-mail and scanning data as the program spread throughout the Net.

The Computer Emergency Response Team at Carnegie-Mellon--created in the aftermath of the Morris worm--is studying the Ramen worm, spokesman Bill Pollock said Wednesday. CERT expects to release more information on Ramen later in the day.

By Wednesday afternoon, a CERT representative said the organization had received "less than five reports" of systems compromised by the worm.

Ironically, the Ramen worm could make the Internet more secure, said Honeynet's Spitzner.

"It even secures the systems by eliminating the same vulnerabilities it used to exploit the system," he said. "I have seen far more destructive acts than this by the blackhat community."