|
Worm.Linux.Rame Viruses Information
| Name: |
Worm.Linux.Rame |
| Category: |
Viruses |
| Description:
|
Details
Worm.Linux.Ramen
This is the first known worm infecting RedHat Linux systems. The worm was discovered in the middle of January 2001. The worm spreads itself from system to system by using a RedHat security breach (a so-called "buffer overrun" breach) that allows for uploading to a remote system and running a short piece of code there that then downloads and activates the main worm component.
The worm has not been tested in VirusLab, so all information below should be read as "the worm could do, if it really does work." We also have no confirmed reports about infected servers from our customers.
The worm uses three security breaches in RedHat versions 6.2 and 7.0, these breaches were discovered in summer-autumn 2000, at least three monthes before the worm was discovered.
The worm also contains routines that intend to attack FreeBSD and SuSE machines, but these routines are neither activated, nor used in worm code.
The Worm Itself
This is a multi-component worm that consists of 26 files about 300K in total length. These files are script programs and executable files. The script programs are ".sh" files that are run by a Linux command shell (like DOS BAT files and Windows CMD files). The executable files are standard Linux ELF executables.
The main components of the worm are script ".sh" files that are run as hosts, and then run the rest of the files (additional ".sh" files and ELF executables) to perform necessary actions.
The list of components appears as follows:
asp hackl.sh randb62 start62.sh wh.sh
asp62 hackw.sh randb7 start7.sh wu62
asp7 index.html s62 synscan62
bd62.sh l62 s7 synscan7
bd7.sh l7 scan.sh w62
getip.sh lh.sh start.sh w7
The "62" components are activated under RedHat 6.2 systems, the "7" components are activated under RedHat 7.0. The "wu62" file is not used at all.
Spreading
Spreading (infecting a remote Linux machine) is done by a "buffer overrun" attack. This attack is performed as a special packet that is sent to a machine being attacked. The packet has a block of specially prepared data. That block of packet data is then executed as a code on that machine. This code opens a connection to an infected machine, obtains the rest of the worm's code, and activates it. At this moment, the machine is infected, and starts to spread the worm further.
The worm is transferred from machine-to-machine as a "tgz" archive (standard UNIX archive) with a "ramen.tgz" name, with 26 worm components inside. While infecting a new machine, the worm unpacks the package there, and runs the main "start.sh" file that then activates other worm components.
The worm components then scan the global network for other Linux machines and upload the worm there if the "buffer overrun" attack is performed successfully.
The worm also appends a command to run its starting ".sh" file to a "/etc/rc.d/rc.sysinit" file, and as a result, the worm's components are activated upon each followed system start.
The worm also closes security breaches that have been used to infect the system. So, an infected machine cannot be attacked by the worm twice.
Details
To obtain IP addresses of remote machines in order to attack them, the worm scans the available global network for IP addresses; i.e., operates similar to standard "sniffer" utilities.
To attack a remote system, the worm uses security vulnerabilities in three RedHat Linux demons: "statd", "lpd", and "wu-ftp".
To upload and activate its copy on a remote machine, the worm "buffer overrun" code contains instructions that switch to "root" privileges, runs a command shell, and follows the ensuing commands:
creates a directory to download the worm "tgz" file, the directory name is "/usr/src/.poop"
exports a "TERM=vt100" variable that is necessary for the next step
runs "lynx" (simply WWW browser) that downloads a worm "tgz" file from a host machine (the machine from which the worm is spreading)
unpacks all worm components from a "tgz" archive
runs the worm startup component: the "start.sh" file
To send a "ramen.tgz" archive, the worm runs an additional server "asp" that sends the worm's "tgz" archive by request from a worm "buffer overrun" component.
Misc.
The worm has several payload and other non-infectious routines.
First of all, it finds all "index.html" files (a Web server's starting pages) on a local machine starting from the root directory and replaces them with its own "index.html" file that contains the following text:
The worm deletes the "/etc/hosts.deny" file. This file contains a list of hosts (addresses and/or Internet names) that are denied access to this system (in case a so-called TCP wrapper is used). As a result, any of the restricted machines can access an affected system.
When a new system is infected, the worm sends "notification" messages to three e-mail addresses:
the address of just the infected machine
gb31337@hotmail.com
gb31337@yahoo.com
The message Subject is IP address of infected machine, the message body contains the text:
Eat Your Ramen! |
Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Secreta
Macro.Word.Urchi
YanShort.162
Party.557.
Blinker.51
Lilit
Macro.Word.Crem
MusicBu
Macro.Word.Archfien
Zhangfan.153
|
