Ramen is an Internet worm, which propagates from a Linux based server to another. It works in a similar way as the Morris Worm that was widespread in 1989.
Disinfection & Removal
Ramen affects systems running a default installations of Red Hat Linux 6.2 and 7.0. It attempts to infect the system by exploiting three know security vulnerabilities - found from wu-ftpd, rpc.statd and lpd services.
If the worm gets access to the vulnerable host, it creates a hidden directory "/usr/src/.poop/", copies itself there as "ramen.tgz", extracts itself and executes "start.sh" shell script. The script will run under the "root" user priviledge.
First the replaces all "index.html" pages from the system, including the web server if one is running, with its own that contains the following text:
RameN Crew Hackers looooooooooooove noodles
Next Ramen removes "/etc/hosts.deny" file and detects whenever it is running under Red Hat Linux 6.2 or 7.0, so it can use precompiled binaries for these systems.
It also adds itself to the "/etc/rc.d/rc.sysinit" causing that the worm will be active after the system is restarted.
After that it copies a simple application to "/sbin/asp" that listens port 27374. Using an connection to this port, the worm downloads itself to the remote host.
In Red Hat 6.2 system the worm removes both "/sbin/rpc.statd" and "/usr/sbin/rpc.rstatd".
In Red Hat 7.0 system, it replaces the "/usr/sbin/lpd" with a zero byte file.
In both systems the worm disables anonumous access to the ftp server.
These changes to the system effectively disable vulnerable services, so Ramen will not infect the system again.
Finally the worm will start three processes in the background. These processes will scan random class B subnets for vulnerable hosts and, if such hosts is found, infect them.
All three security vulnerabilites are already fixed with currently available updates provided by Red Hat. Fixes are available at:
Red Hat Linux 6.2:
Red Hat Linux 7.0:
Unix/Ramen.B does not contain the same payload as the original Ramen.A. Instead, it installs a backdoor and a distributed denial of service agent to the compromised system.
When the worm infects the system it first moves the "/bin/login" to "/usr/lib/ldliblogin.so" and copies a trojanized "login" to "/bin/login".
After that it sends the "/etc/shadow" file, propably to virus writers. After sending it attempts to remove the log entries about sent mail from "/var/log/maillog".
The worm replaces the "/usr/bin/lpd" with a variant of so called Stacheldraht distributed denial of service agent, and executes it. An entry is added to the end of the "/etc/rc.d/rc.sysinit" file, so DDoS agen will be active after the system restart.
Ramen.B compiles a program that will kill the "lpd" process from the system and run "/usr/bin/lpd", thus effectively restarting the DDoS agent. Restart program is placed to "/usr/sbin/update".
Next the worm compiles and replaces both "/bin/ps" and "/bin/netstat" with trojanized versions that hide worms processes from the user. The original commands are moved to "/usr/lib/ldlibps.so" and "/usr/lib/ldlibns.so" respectively.
Ramen.B also adds a cron job, that runs "/usr/sbin/update" monthly and kills all processes named "syncscan" daily.
Otherwise this variant functions like the original Unix/Ramen.A.
Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure; January - February, 2001