SCIENCE AND ENGINEERING NEWS
Moscow, RUSSIA — Sylvia Dennis reported for Newsbytes: Kaspersky Lab, the Russian anti-virus specialist, has warned about a new Internet worm that attacks Linux-based computers. The worm, which executes under Red Hat Linux, is called Ramen, and represents a surprise for what had been considered to be one of the most protected platforms available today.
Kaspersky said that Ramen, which affects Red Hat Linux 6.2- or 7.0-based systems, exploits three security breaches named “in.ftpd”, “rpc.statd” and “LPRng”, which were previously detected and closed, between June and September 2000. All of these breaches, the firm said, are from the “buffer overflow” category and allow a malicious person to send a remote system an executable code and run it without the user’s permission.
The Moscow-based company said that the way the worm works is rather sophisticated. Firstly, a target computer receives data that overflows the system’s internal buffer, so a worm code gains the root privileges and starts the command processor that executes the worm’s instructions. At this stage, Ramen creates the “/usr/src/.poop” folder, launches the Lynx Internet browser and downloads the worm’s archive “RAMEN.TGZ” from a remote computer.
After this, Ramen opens the archive and executes its main file “START.SH”. The worm has no additional payload except for changing the content of “INDEX.HTML” files found on the system. When the affected HTML-files are run they display a message of “RameN Crew – Hackers loooooo00000000000ve noodles.”
Denis Zenkin, Kaspersky’s head of corporate communications, said that it’s important to emphasize that the breaches exploited by Ramen are also found on other Linux variants, including Caldera OpenLinux, Connectiva Linux, Debian Linux, HP-UX and Slackware Linux. “This particular worm is triggered to activate only on systems running Red Hat Linux,” he said, adding that other Linux variants could be affected by future versions of the worm.
“We therefore recommend users to immediately install patches for these breaches regardless of the Linux distribute they use,” he said, adding that no reports of the virus “in the wild.”
Web site: http://www.kaspersky.com