Ramen: the first successful attack on Linux? Monday 22 January 2001 PDF Print Cambridge, UK, January 19, 2001 - Kaspersky Lab, an international data-security software-development company, reports the discovery of a new Internet-worm that attacks computers with Red Hat Linux operating system installed. As it was emphasised in the latest virus advisory regarding the "Davinia" worm dated January 16th, it is one of the modern trends in malicious code development that virus writers often use known breaches in security systems of different platforms and applications. The recently detected "Ramen" worm is yet another confirmation of this trend. But this time the victim is the Linux operating system, which is considered to be one of the most protected platforms available today. To penetrate computers that have Red Hat Linux 6.2 or 7.0 installed, "Ramen" exploits three security breaches named "in.ftpd", "rpc.statd" and "LPRng", which were detected and closed, in June-September 2000. All of these breaches are from the "Buffer Overflow" category and allow a malicious person to send a remote system an executable code and run it without the user's permission. The way the worm works is rather sophisticated. Firstly, a target computer receives data that overflows the system's internal buffer, so a worm code gains the root privileges and starts the command processor that executes the worm's instructions. Then "Ramen" creates the "/usr/src/.poop" folder, launches the "lynx" Internet browser and downloads there, the worm's archive "RAMEN.TGZ" from a remote computer. After this, "Ramen" opens the archive and executes its main file "START.SH". The worm has no additional payload except for changing the content of "INDEX.HTML" files found on the system. When the affected HTML-files are run they display the following message: RameN Crew Hackers loooooo00000000000ve noodles. "It is important to emphasize that the breaches exploited by the "Ramen" worm are also found on other Linux distributes, such as: Caldera OpenLinux, Connectiva Linux, Debian Linux, HP-UX, Slackware Linux and other. This particular worm is triggered to activate only on systems running Red Hat Linux. However, it is probable that in the future other modifications of "Ramen" will successfully operate on other Linux platforms." Said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab. "Therefore we recommend users to immediately install patches for these breaches regardless of the Linux distribute you use". More details about the "Ramen" can be found in the Kaspersky's Virus Encyclopedia at http://www.viruslist.com Up until now Kaspersky Lab has received no reports of this worm to be found "in-the-wild". Although we recommend users to download the daily update for Kaspersky Anti-Virus (AVP) database, that contains protection against the "Ramen" worm. Kaspersky Anti-Virus can be purchased in Kaspersky Lab online store. Notes to Editors Screenshot of display message available, please contact Sara Claridge 0118 9755188 or email firstname.lastname@example.org About Kaspersky Lab Kaspersky Lab Ltd. is a fast growing international privately owned data-security software-development company with offices in Moscow (Russia), Cambridge (UK) and Walnut Creek (United States). Founded in 1997, the company concentrates its efforts on the development of world-leading anti-virus technologies and software. Kaspersky Lab also provides free online security related Internet information services. The company markets, distributes and supports its software and services in more than 40 countries worldwide. Media Contacts Denis Zenkin Kaspersky Lab, Ltd. Phone: +7 (095) 797 87 00 E-mail: email@example.com WWW: http://kaspersky.com Sara Claridge Marylebone Media Relations Phone +44 118 975 5188 E-mail firstname.lastname@example.org This press release was distributed by ResponseSource Press Release Wire on behalf of Marylebone Media Relations in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.