http://www.securityfocus.com/news/141

    NEWS
   NEWS
   DEA agent charged with selling data
   January 22nd
   Ramen hits NASA
   January 19th
   Microsoft miffed at Bulgarian bug buster
   January 19th
   Linux worm uses its noodle
   January 17th
   IT bigwigs launch anti-hack club
   January 16th
     _____________________________________________________________________________________________________________________
   
   COMMENTARY
   How Carnivore Works
   December 20th
   BANISAR: Cybercrime treaty still horrible
   December 14th
   MITNICK: Microsoft hack wasn't espionage
   November 5th
   News Hacks
   October 15th
   Cybercrime Treaty: Take Two
   October 8th
     _____________________________________________________________________________________________________________________
   
Ramen hits NASA

   The Linux worm's noodle-touting defacements show up in odd places.
   By Kevin Poulsen
   January 19, 2001 6:41 PM PT
   The distinctive mark of the Linux-based Internet worm 'Ramen' turned up on web sites in Texas and Taiwan this week, and
   marred a NASA server in California.
   The worm, which targets known vulnerabilities in Red Hat 6.2 and 7.0, leaves as its calling card the message "Hackers
   looooooooooooove noodles," signed by the "RameN Crew," and an image of a Top Ramen-brand oriental noodle package. Top
   Ramen
   While the full impact of the worm is not yet known, the noodle-touting tag has appeared at Texas A&M university, the
   Taiwanese web site for computer company Supermicro, and NASA's Jet Propulsion Laboratories (JPL) in California, according
   to Attrition.org, a site that chronicles web defacements.
   The JPL web server was defaced on Monday, putting it among the earliest victims of the worm. "That site was modified by an
   unauthorized user," confirmed Susan Reichley, a spokesperson for the space agency. "It was caught the same day."
   The Ramen worm is a bulky, but effective, collection of hacking tools rolled up into a package. A modified scanning
   program searches randomly-selected swaths of Internet address space for Red Hat Linux versions 6.2 and 7.0 installations.
   The scanner then launches attacks against those machines with publicly available exploits of three known vulnerabilities
   and spreads into each crackable box.
   More from Security Focus
   [INLINE] VULNERABILITIES
   [INLINE] Wu-Ftpd Remote Format String Stack Overwrite Vulnerability
   [INLINE] Multiple Linux Vendor rpc.statd Remote Format String Vulnerability
   [INLINE] Multiple Vendor LPRng User-Supplied Format String Vulnerability
   [INLINE] INCIDENTS LIST
   [INLINE] Ramen analysis 
   [INLINE] OPINION
   [INLINE] GARFINKLE: Prepare for a Linux plague
   On Red Hat 6.2 systems, the worm exploits vulnerabilities in wu-ftpd and rpc.statd. On version 7.0, it attacks LPRng.
   Detailed information on fixing all three holes can be found in SecurityFocus's vulnerability database (see insert).
   The worm's strategy is not dissimilar to that employed by the 1988 Morris worm, the most successful self-propelled
   contagion to date. But unlike the Morris worm, on every system Ramen penetrates it promptly closes the holes that allowed
   it to break in -- thus preventing the kind of multiple infection that caused the Morris worm to grind infected computers
   into seizure.
   Mutations may come
   As a side effect of its rampage, the worm has increased traffic to the web site of noodle-maker Nissin Foods, the source
   of the Top Ramen image that's found on every defaced page. Because of the way the worm's author structured the <IMG> tag,
   visitors to sites that have fallen victim to the worm unknowingly pull the image of the snack treat directly from
   nissinfoods.com.
   California-based ICC Internet, the company that maintains nissinfoods.com, is unperturbed by the extra hits. "We're not
   going to do anything about it." says CTO Alex Ponnath. "It hasn't affected us."
   Notwithstanding the serial defacements, and the bandwidth consumed by the worm's scanning, Ramen has proven relatively
   harmless. But experts warn that could change. "What happens if somebody modifies it so that it does a search through a
   hard drive for words like "secret" or "salary" and sends the files out to an IRC channel," says Spitzner, who's examined
   the worm. "I'd leave it to the creativity of the black hat community, and based on what I know, they're very creative."
   The identity of the worm's author remains a mystery. But observers have noted that "Ramen" is Dutch for "Windows,"
   sparking speculation that the culprit is a Dutch hacker who targeted Linux out of "looooooooooooove" for a competing
   operating system.
   
                                                     tips@securityfocus.com
                                                                
                                          Want to link to this article? Use this URL:
                                           < http://www.securityfocus.com/news/141 >
                                                                
   Discussion
   View log-files from 'www.nissinfoods.com' White Hat
   View log-files from 'www.nissinfoods.com' Craig Davison <davison@cpsc.ucalgary.ca>
   outrageous FlippyTheDog
   outrageous BrainStorm
   Ramen Analysis Details Max Vision
   Please Help Jim
   Blame the victim... sounds like a rape case. prado
   Red Hat 7.0 too shinymetal@libero.it
   
                                                                                                           [ Post a comment ]
                                                                                                                             
                                                       Privacy Statement
                                            Copyright © 1999-2000 SecurityFocus.com