"Several (vandal) groups are suddenly switching to Red Hat," said Matt Dickerson, also known as "Munge," a staff member at security group Attrition.org. "We think they are modifying the HTML pages in the worm with their own text and graphics."
He added that when groups switch to an operating system they haven't historically used--and seemingly know nothing about--that means they are using a new hacking tool to do their dirty work.
As earlier reported, the Ramen worm is a self-spreading program that has been cobbled together from several such tools and focuses on versions 6.2 and 7.0 of Red Hat's Linux operating system. The flaws exploited by the worm, however, affect other Linux distributions and some Unix systems as well.
Depending on the version of the operating system it's infecting, Ramen can use well-known flaws in Washington University's FTP server software, a component of the Remote Procedure Call services or the printing software LPrng. These programs are normally placed on servers during the default installation of Red Hat 6.2 and 7.0.
Patches are available for all the flaws used by the worm.
After the worm finds a vulnerable server, it uses the vulnerability to copy itself to the server, replace the front Web page with its own, and then starts scanning for other insecure servers.
Ramen also eliminates the vulnerable programs from the server, thus protecting itself from other instances of the Ramen worm and other vandals using the same vulnerabilities.
Last week, NASA, a Taiwanese motherboard maker and Texas A&M University all got infected by the worm, according to Attrition.org.
After the worm was discovered early last week, the Computer Emergency Response Team at Carnegie Mellon University released an advisory describing the workings of the program. For the most part, the worm can be removed easily from servers.
Several other organizations reportedly have been infected this week, including U.K.-based localization company Babel Media and the under-construction Siamstore.com.
Other recent attacks and defacements on Red Hat servers are thought to be due to a modified version of the worm, even when the trademarked "RameN Crew" Web page is not displayed.
Data from Attrition.org--the most complete source of hacker data on the Web--has shown a definite spike in attacks on Red Hat servers in the past couple of weeks.
It's likely that the increase in activity is due to the worm, said Attrition's Dickerson.
And more can be expected.
At last count, there were more than 780,000 public servers on the Web running Red Hat 6.2 and 7.0, according to Web survey firm Netcraft. Since only 17 percent of Linux servers can be identified with the methods used by Netcraft, in practice the actual number of vulnerable servers could easily be in the millions.
With that much growing space, the fear among experts is not that the current worm will spread but that nastier varieties will attempt to use the same flaws to gain access to online servers.
"This worm doesn't do anything all that bad," Lance Spitzner, coordinator with the security group Honeynet Project, said in an interview last week. "It could be much, much worse."
Spitzner hopes that the worm will make system administrators and everyday users who have systems on the Internet take another look at their security.
"If you patched it, Red Hat can be as secure as anyone else," he said. "But you have to patch."