Linux/Ramen

Classification

Malware

Worm

Linux

Ramen, Linux.Ramen, Linux/Ramen, Unix/Ramen

Summary

Ramen is an Internet worm that propagates from a Linux based server to another. It works in a similar way as the Morris Worm that was widespread in 1989.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Variant:Ramen.A

Ramen affects systems running a default installations of Red Hat Linux 6.2 and 7.0. It attempts to infect the system by exploiting three know security vulnerabilities - found from wu-ftpd, rpc.statd and lpd services.

If the worm gets access to the vulnerable host, it creates a hidden directory "/usr/src/.poop/", copies itself there as "ramen.tgz", extracts itself and executes "start.sh" shell script. The script will run under the "root" user priviledge.

First the replaces all "index.html" pages from the system, including the web server if one is running, with its own that contains the following text:

RameN Crew

 Hackers looooooooooooove noodles

Next Ramen removes "/etc/hosts.deny" file and detects whenever it is running under Red Hat Linux 6.2 or 7.0, so it can use precompiled binaries for these systems.

It also adds itself to the "/etc/rc.d/rc.sysinit" causing that the worm will be active after the system is restarted.

After that it copies a simple application to "/sbin/asp" that listens port 27374. Using an connection to this port, the worm downloads itself to the remote host.

In Red Hat 6.2 system the worm removes both "/sbin/rpc.statd" and "/usr/sbin/rpc.rstatd".

In Red Hat 7.0 system, it replaces the "/usr/sbin/lpd" with a zero byte file.

In both systems the worm disables anonumous access to the ftp server.

These changes to the system effectively disable vulnerable services, so Ramen will not infect the system again.

Finally the worm will start three processes in the background. These processes will scan random class B subnets for vulnerable hosts and, if such hosts is found, infect them.

All three security vulnerabilites are already fixed with currently available updates provided by Red Hat. Fixes are available at:

Red Hat Linux 6.2:

https://www.redhat.com/support/errata/rh62-errata-security.html

Red Hat Linux 7.0:

https://www.redhat.com/support/errata/rh7-errata-security.html


Variant:Ramen.B

Unix/Ramen.B does not contain the same payload as the original Ramen.A. Instead, it installs a backdoor and a distributed denial of service agent to the compromised system.

When the worm infects the system it first moves the "/bin/login" to "/usr/lib/ldliblogin.so" and copies a trojanized "login" to "/bin/login".

After that it sends the "/etc/shadow" file, propably to virus writers. After sending it attempts to remove the log entries about sent mail from "/var/log/maillog".

The worm replaces the "/usr/bin/lpd" with a variant of so called Stacheldraht distributed denial of service agent, and executes it. An entry is added to the end of the "/etc/rc.d/rc.sysinit" file, so DDoS agen will be active after the system restart.

Ramen.B compiles a program that will kill the "lpd" process from the system and run "/usr/bin/lpd", thus effectively restarting the DDoS agent. Restart program is placed to "/usr/sbin/update".

Next the worm compiles and replaces both "/bin/ps" and "/bin/netstat" with trojanized versions that hide worms processes from the user. The original commands are moved to "/usr/lib/ldlibps.so" and "/usr/lib/ldlibns.so" respectively.

Ramen.B also adds a cron job, that runs "/usr/sbin/update" monthly and kills all processes named "syncscan" daily.

Otherwise this variant functions like the original Unix/Ramen.A.