Ramen: the first successful attack on the Linux?

18 Jan 2001
Virus News

Cambridge, UK, January 19, 2001 - Kaspersky Lab, an international data-security software-development company, reports the discovery of a new Internet-worm that attacks computers with the Red Hat Linux operating system installed.

As was emphasized in the latest virus advisory regarding the "Davinia" worm dated January 16th, one of the modern trends in malicious code development often has virus writers using known breaches in security systems of different platforms and applications. The recently detected "Ramen" worm is yet another confirmation of this trend; however, this time the victim is the Linux operating system, which is considered to be one of the most protected platforms available today.

To penetrate computers with Red Hat Linux 6.2 or 7.0 installed, "Ramen" exploits three security breaches named "in.ftpd", "rpc.statd" and "LPRng", which were detected and closed in June--September 2000. All of these breaches are from the "Buffer Overflow" category, and allow a malefactor to send a remote system an executable code and run it without the user's permission. The way the worm works is rather sophisticated: firstly, a target computer receives data that overflows the system's internal buffer so the worm's code obtains the root privileges and starts the command processor that executes the worm's instructions. Then "Ramen" creates the "/usr/src/.poop" folder, launches the "lynx" Internet browser, and downloads the worm's archive "RAMEN.TGZ" there from a remote computer. After this, "Ramen" opens the archive and executes its main file, "START.SH". The worm has no additional payload except for changing the content of "INDEX.HTML" files found on the system. When the affected HTML files are run, they display the following message:

"It is important to emphasize that the breaches exploited by the 'Ramen' worm are also found on other Linux distributors, such as Caldera OpenLinux, Connectiva Linux, Debian Linux, HP-UX, Slackware Linux and others. This particular worm is triggered to activate only on systems running Read Hat Linux. However, it is possible that we shall see other future modifications of 'Ramen' that will successfully operate on other Linux platforms," Said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "Therefore, we recommend immediately installing patches for these breaches regardless of the Linux distributor you use."

More details about the "Ramen" Internet-worm can be found in Kaspersky's Virus Encyclopedia (www.viruslist.com).

Although Kaspersky Lab has received no reports of this worm to be found "in-the-wild" to date, we recommend users download the daily update for the Kaspersky Anti-Virus (AVP) database containing protection against the "Ramen" worm.

Kaspersky Anti-Virus can be purchased in Kaspersky Lab online store.