“The Ramen worm targets Red Hat Linux systems specifically. It
searches the Internet piece by piece, looking for vulnerable Red
Hat boxes, and when it finds one it intrudes through a
vulnerability in one of three Linux programs: the Remote Procedure
Call service, the default file transfer protocol (FTP) service, or
the print service. Once inside, the worm installs a malicious
program on the compromised server, and spreads from there to other
Red Hat computers.”
“That sounds common enough. That’s how all worms work — a
specific vulnerability in a specific operating system is targeted,
and once a worm is let loose on the Internet, it compromises as
many computers running the operating system with that vulnerability
as it can find. What makes Ramen unique, though, is what the
program it installs does. Among other things, Ramen looks for
index.html files that it can overwrite.”
“How can the Ramen worm be stopped? The same way any other
worm is stopped: starve it. Administrators of all Linux and other
Unix-based systems must take the time to secure all servers in
their care. While the Ramen worm targets Red Hat, the
vulnerabilities it exploits are present in other Linux
distributions, as well as in certain *BSD distributions. It is of
paramount importance that administrators stop putting Linux servers
on the Internet in a default installation. Basic hardening and
security measures must be taken first. If Linux administrators
cannot be more responsible in the future than those who are still
running a vulnerable rpc.statd, then the Ramen worm will continue
to flourish.”