Ramen is a worm spreading on Linux hosts since mid-January. It targets default installations of Red Hat 6.2 and 7.0, exploiting three known vulnerabilities in services enabled by default. By the available estimates it has compromised tens of thousands of hosts in its first three weeks.
This is the Linux-targeted worm I predicted.
What Ramen does
The worm exploits three specific vulnerabilities, all patched months ago:
rpc.statd buffer overflow. Heap-overflow in the rpc.statd daemon used by NFS for status notification.
LPRng format-string vulnerability. Format-string bug in the LPRng line printer daemon.
wu-ftpd format-string vulnerability. Yet another wu-ftpd issue, this time format-string.
All three services are enabled by default in Red Hat 6.2 and 7.0. Hosts that received their security updates are not vulnerable; hosts that did not are.
Once a host is compromised, Ramen:
- Defaces any web pages on the host.
- Installs itself as a daemon that scans random IP ranges.
- Uses the same three exploits against any vulnerable host it finds.
- Sends an email to a fixed address with the IP of the newly-compromised host.
Why this matters
Linux is no longer a niche target. The platform-diversity argument I have been making — that running Linux is structurally protective because attackers focus on Windows — is being eroded as Linux installations grow.
Default configurations remain the problem. All three of Ramen's exploited vulnerabilities are in services enabled by default in standard Linux distributions. The same observation I have been making about Microsoft's defaults applies to Linux.
The patching gap is universal. The vulnerabilities Ramen exploits were patched months ago. The pattern is the same as BIND, IIS. Linux operators are not, on average, faster at patching than Windows operators.
Defacement is the visible part of a larger compromise. A future worm targeting the same vulnerabilities could do the same compromise without the defacement, and would go undetected on the same population for longer.
What operators should do
Apply all current security updates. Distribution patches for these specific vulnerabilities are months old.
Disable services you do not need. rpc.statd, LPRng, wu-ftpd are all useful if you need them. Most Linux servers do not need all three.
Run anomaly detection on outbound traffic. A compromised Linux host running Ramen scans aggressively. The scan traffic is detectable on outbound interfaces with structured-log analysis.
Watch web-server defacement. A simple cron job that hashes your web-root index files and alerts on changes catches the most obvious symptom of compromise.
What I have done
My hosts are running current patches; affected services are not enabled where not needed; my Snort sensor has rules for the specific exploitation patterns. Ramen-related scan traffic against my range has been substantial — about 200 distinct sources in three weeks, hitting rpc.statd and wu-ftpd specifically.
For my calibration discipline, I am marking prediction 6 ("a specific Linux-targeted worm") as resolved on the affirmative side. The 55% probability I had assigned to it was too low; with hindsight, the conditions made this very likely.