Linux worm hits NASA, others

• By Dan Caterinicchia, Dan Caterinicchia
• Jan 25, 2001

More info and a sample defaced page

Government, educational and commercial institutions worldwide, including NASA and Texas A&M University, have been hit by the first public, malicious code for the Linux operating system.

And perhaps even more alarming is the fact that security patches to prevent the worm from spreading have been available for five months, according to Kaspersky Lab, a data-security software-development company.

The Ramen Internet worm has caused several Web sites around the globe to be defaced. These organizations' Web sites have been attacked by the worm, which causes the sites' title pages to appear with:

• A "RameN Crew" headline across the top.
• The saying, "Hackers looooooooooooooooove noodles" in the middle.
• "This site powered by Top Ramen," with a logo for the product, across the bottom.

Nissin Foods produces Ramen food products, including the popular Top Ramen and Cup Noodles.

"At the moment only one machine was compromised by it," said Tom Putnam, director of computing and information services at Texas A&M. The worm exploits the FTP to get in, he said, adding that FTP capability is blocked by the school's firewall on most of A&M's systems, including the infected one.

Putnam said the university has more than 26,000 IP locations and therefore one machine being hit by the worm did not cause much alarm. "It was a departmental Web server for one of our academic departments," he said. "We have a full-time staff that does nothing but track people doing scans, trying to exploit things or creating worms and viruses. This is very low-profile in the overall scheme of things."

Repeated attempts to reach representatives at NASA and Nissin were unsuccessful.

The Ramen worm has the ability to spread via the Internet and penetrate systems running Red Hat Linux versions 6.2 and 7.0. In order to gain access to a computer, the worm exploits three known security breaches in the operating systems. The breaches allow the Ramen worm to take over the root access rights and, unbeknownst to the user, execute its code on the target systems.

Red Hat discovered the security breaches last year and developers released corresponding patches to eliminate the problem in September. The patches can be downloaded at www.redhat.com/support/alerts/ramen_worm.html.

During the past several days, Kaspersky Lab received confirmation of Ramen penetrating several networks, including those at NASA, Texas A&M and a Taiwan-based computer hardware manufacturer.

The discovery of the Ramen worm "in the wild" is a significant moment in computer history, said Denis Zenkin, head of corporate communications for Kaspersky Lab.

Previously considered as an absolutely secure operating system, Linux now has become another victim to computer "malware," he said. During the eight years since Linux was first developed, about 50 malicious programs have been discovered for the operating system, but none had been sighted "in the wild."

"The fact that Ramen penetrated into several respected organizations, including NASA, shows that even the most professional network engineers don't pay enough attention to timely installation of security patches in order to protect their systems," Zenkin said in a release. "This worries us most, as neglecting basic enterprise security rules can stimulate hackers to develop malicious code for Linux."