It uses two well-known security flaws in applications set up during the default installation of Red Hat Linux software.
Known as the Ramen worm, the self-spreading program appears to have been created by common Internet vandals - called script kiddies. As of last night, the worm was continuing to spread.
"This is not a very dangerous worm," said Lance Spitzner, coordinator for the Honeynet Project, a group of well-known security experts who study how hackers attack servers. "It has a very big signature. It is easy to find. And it doesn't really do anything destructive."
The worm spreads by scanning the Internet for servers based on Red Hat 6.2 or 7.0 and then attempts to gain access using two common exploits. When it does gain access, it installs a so-called "root kit," which patches the security holes and installs special programs that replace common system functions. Ramen also replaces the main page on Web servers with an HTML file claiming: "RameN Crew--Hackers looooooooooooove noodles."
Finally, the new worm sends an email message to two Web-based accounts, boots up and starts scanning the Internet again.
Worm spreading rapidly
Spitzner and other security experts on the Bugtraq mailing list detected the worm earlier this week when they noticed an increase in scans for the RPC.statd and wu-FTP vulnerabilities that plague the default installations of most Linux servers. The worm, however, limits its spread to servers based on Red Hat 6.2 and 7.0.
RPC.statd is one of several services that a Linux server can run to offer remote access using a common suite of programs known as remote procedure calls. Washington University's version of the common file server, known as wu-FTP, has a flaw that also allows access. Patches for both flaws are readily available.
Mihai Moldovanu, a Romanian programmer who reverse-engineered much of the worm on Tuesday, said that Ramen is spreading very rapidly.
"Once the worm starts scanning, it will consume a large amount of your Internet bandwidth," Moldovanu said. "The scanning is very fast." According to Moldovanu, the worm scanned two B-class networks - about 130,000 Internet addresses - in less than 15 minutes.
"The worm itself seems dangerous due to bandwidth consumption and due to the (unproven) possibility of remote-accessing the compromised box by the worm author," he added.
Because of its ability to spread without any human intervention and because it targets servers based on Linux - a cousin of Unix - the Ramen worm resembles the Morris Worm that used a common email service to spread through the Internet - then called the Arpanet - in early November 1988.
The Morris worm, named after its creator, the Cornell University graduate student Robert Morris, overloaded the Internet with email as it attempted to spread among Unix servers.
The Computer Emergency Response Team at Carnegie-Mellon - created in the aftermath of the Morris Worm - is currently studying the Ramen worm, spokesman Bill Pollock said Wednesday.
