__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN The Ramen Worm February 2, 2001 21:00 GMT Number L-040 _____________________________________________________________________________ PROBLEM: A Linux worm named 'Ramen' has been detected in the wild. CIAC has had reports of compromised systems and numerous scans. PLATFORM: Redhat Linux 6.2 and 7.0 DAMAGE: Ramen automatically attacks all vulnerable systems it can find. Intruders can gain root access to vulnerable systems. SOLUTION: This worm exploits known vulnerabilities in wu-ftpd, LPRng, and rpc.statd. These services should be patched immediately. Patches are available from Red Hat. _____________________________________________________________________________ _ VULNERABILITY The risk is HIGH - The worm is in the wild and is being ASSESSMENT: actively used to exploit vulnerable systems. _____________________________________________________________________________ _ CIAC, CERT, and others are receiving reports of systems compromised by the Ramen Worm. The worm is in the wild and performs fully automated breakins to vulnerable systems. As it is fully automated, it continues to attack systems until all running copies are found and stopped. Rebooting systems does not stop the worm as it installs code to automatically restart itself after a reboot. The binaries contained in the worm are specific to Linux 6.2 and 7.0. However, someone with access to the source code for the binaries could recompile them under other versions of UNIX to attack other platforms. As far as we know, the source code for the binaries is not yet in the wild. The worm operates by exploiting known vulnerabilities in wu-ftp, LPRng, and rpc.statd. Patches for these vulnerabilities have been available for many months. Information about the worm and links to patches for these services are available from RedHat at: http://www.redhat.com/support/alerts/ramen_worm.html See also CIAC bulletins: K-054: Vulnerability in Linux wu-ftpd June 26, 2000 http://www.ciac.org/ciac/bulletins/k-054.shtml K-069: Input Validation Problem in rpc.statd August 21, 2000 http://www.ciac.org/ciac/bulletins/k-069.shtml L-025: LPRng Format String Vulnerability December 13, 2000 http://www.ciac.org/ciac/bulletins/l-025.shtml And the CERT Incident Note: CERTŪ Incident Note IN-2001-01 Widespread Compromises via "ramen" Toolkit January 18, 2001 http://www.cert.org/incident_notes/IN-2001-01.html OPERATION ========= The Ramen worm is a completely automated worm that attacks random systems using exploits of three known vulnerabilities: wu-ftp LPRng rpc.statd The worm is distributed as an archive named ramen.tgz, which contains a mixture of executable binaries and shell scripts. The binaries perform the scanning and attacks while the scripts provide the automation. There is no built-in mechanism for stopping the attacks after they have been started. When a machine is compromised by any of these vulnerabilities, the attacking program creates the directory /usr/src/.poop. The program then uses lynx to connect back to the attacking machine via the asp port (27374) and and get a copy of ramen.tgz which it places in the /usr/src/.poop directory. The ramen.tgz file is unzipped, untared, and the script start.sh is run. The start.sh script first looks for and replaces any default web pages it finds on the system with the ramen web page. That page is named "Ramen Crew" and contains the text: RameN Crew Hackers looooooooooooooooove noodles. This site powered by and the image: http://www.nissinfoods.com/tr_oriental.jpg Note that this image is no longer available on the indicated server. Start.sh removes hosts.deny and determines the IP address and network interface of the compromised system. It then tests to see if the system is Linux 6.2 or 7.0 and then renames the appropriate tools for the architecture it finds. Start.sh next replaces the rc.sysinit file with a batch file that starts up ramen again in case the system is rebooted. You must remove or replace this file before rebooting to make the ramen scanner stop. LINUX 6.2 ========= In Linux 6.2 start.sh replaces the file /sbin/asp with a Trojaned copy of asp that pushes out a copy of ramen.tgz to whomever connects to it. It then writes the following entry to the end of the inetd.conf file and restarts inetd to open the asp port (27374) to the /sbin/asp program. asp stream tcp nowait root /sbin/asp LINUX 7 ======= In Linux 7, start.sh replaces /usr/sbin/asp with the Trojaned copy of asp and then replaces /etc/xinetd.d with the following text to open the asp port (27374): # default: on # description: asp server # service asp { disable = no socket_type = stream wait = no user = root server = /usr/sbin/asp } Finally, it proceeds to patch the hole that let it in by deleting /sbin/rpc.statd and /usr/sbin/rpc.rstatd in Linux 6.2 and /usr/sbin/lpd in LINUX 7. In both cases it adds the ftp and anonymous users to the /etc/ftpusers file to close the ftp hole. At this point, start.sh has finished compromising the system and starts an attack script to compromise other systems. The attack script first randomly picks a class b network and starts a scanner named synscan to locate potentially vulnerable systems. When a potential victum is found, its address is placed in a hidden file named .l or .w. Whenever the address of a new victum is placed in one of these files, the attack program gets the address and attacks it. The .l file contains systems to attack with the LPRng attack and the .w file contains systems to attack with the wu-ftp and rpc.statd attacks. Whenever one of these three attacks is successful, the process starts again on the compromised system. DETECTING COMPROMISES ===================== Compromised systems are easily detected by the open asp port (27374). Any system with this port open or any traffic to or from this port should be considered suspect. Connecting to this port with a web browser should give you back the ramen.tgz archive. The only clear text in the archive is "ramen.tar" near the beginning. Note that the open port number and the name of the archive could easily be changed in variants of this worm. Compromised systems should also have the directory /usr/src/.poop containing the contents of the ramen archive. Default web pages showing the RameN Crew web page are also compromised. CLEANING UP =========== To remove ramen from a compromised system, do the following: LINUX 6.2 --------- Remove/replace these files: /usr/src/.poop index.html anywhere on the system. /etc/rc.d/rc.sysinit /sbin/asp /sbin/rpc.statd or /usr/sbin/rpc.rstatd /tmp/ramen.tgz Remove the following line from the end of /etc/inetd.conf: asp stream tcp nowait root /sbin/asp Remove "ftp" and "anonymous" from /etc/ftpusers LINUX 7 ------- Remove/replace these files: /usr/src/.poop index.html anywhere on the system. /usr/sbin/asp /etc/xinetd.d /usr/sbin/lpd /tmp/ramen.tgz Remove "ftp" and "anonymous" from /etc/ftpusers At this point, you should reboot your system and patch the services that allowed the compromise to occur. VARIANTS ======== We are already hearing of variants to this worm. Changing the attack programs would be difficult because the source code for the attack programs is not distributed with the worm. Thus, moving the worm to a different platform would not be easy. Changing the shell scripts to do other things while the worm is running would be relatively simple to do. ____________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-030: Four Vulnerabilities in ISC Bind L-031: Sun AnswerBook2 Vulnerability L-032: Class Loading Vulnerability in Sun Java (TM) Runtime Environment L-033: Sun Java Web Server Vulnerability L-034: HP Security Vulnerability in man(1) Command L-035: HP-UX Support Tools Manager Vulnerability L-036: FreeBSD procfs Vulnerabilities L-037: FreeBSD periodic Uses Insecure Temporary Files L-038: FreeBSD inetd ident Server Vulnerability L-039: FreeBSD sort Uses Insecure Temporary Files