This is the first known worm infecting RedHat Linux systems. The worm was discovered in the middle of January 2001. The worm spreads itself from system to system by using a RedHat security breach (a so-called “buffer overrun” breach) that allows for uploading to a remote system and running a short piece of code there that then downloads and activates the main worm component.
The worm has not been tested in VirusLab, so all information below should be read as “the worm could do, if it really does work.” We also have no confirmed reports about infected servers from our customers.
The worm uses three security breaches in RedHat versions 6.2 and 7.0, these breaches were discovered in summer-autumn 2000, at least three monthes before the worm was discovered.
The worm also contains routines that intend to attack FreeBSD and SuSE machines, but these routines are neither activated, nor used in worm code.
The Worm Itself
This is a multi-component worm that consists of 26 files about 300K in total length. These files are script programs and executable files. The script programs are “.sh” files that are run by a Linux command shell (like DOS BAT
The main components of the worm are script “.sh” files that are run as hosts, and then run the rest of the files (additional “.sh” files and ELF executables) to perform necessary actions.
The list of components appears as follows:
asp hackl.sh randb62 start62.sh wh.sh asp62 hackw.sh randb7 start7.sh wu62 asp7 index.html s62 synscan62 bd62.sh l62 s7 synscan7 bd7.sh l7 scan.sh w62 getip.sh lh.sh start.sh w7
The “62” components are activated under RedHat 6.2 systems, the “7” components are activated under RedHat 7.0. The “wu62” file is not used at all.
Spreading (infecting a remote Linux machine) is done by a “buffer overrun” attack. This attack is performed as a special packet that is sent to a machine being attacked. The packet has a block of specially prepared data. That block of packet data is then executed as a code on that
The worm is transferred from machine-to-machine as a “tgz” archive (standard UNIX archive) with a “ramen.tgz” name, with 26 worm components inside. While infecting a new machine, the worm unpacks the package there, and runs the main “start.sh” file that then activates other
The worm components then scan the global network for other Linux machines and upload the worm there if the “buffer overrun” attack is performed successfully.
The worm also appends a command to run its starting “.sh” file to a “/etc/rc.d/rc.sysinit” file, and as a result, the worm’s components are activated upon each followed system start.
The worm also closes security breaches that have been used to infect the system. So, an infected machine cannot be attacked by the worm twice.
To obtain IP addresses of remote machines in order to attack them, the worm scans the available global network for IP addresses; i.e., operates similar to standard “sniffer” utilities.
To attack a remote system, the worm uses security vulnerabilities in three RedHat Linux demons: “statd”, “lpd”, and “wu-ftp”.
To upload and activate its copy on a remote machine, the worm “buffer overrun” code contains instructions that switch to “root” privileges, runs a command shell, and follows the ensuing commands:
To send a “ramen.tgz” archive, the worm runs an additional server “asp” that sends the worm’s “tgz” archive by request from a worm “buffer overrun” component.
The worm has several payload and other non-infectious routines.
First of all, it finds all “index.html” files (a Web server’s starting pages) on a local machine starting from the root directory and replaces them with its own “index.html” file that contains the following text: