January 26, 2001, 12:56 PM — A Linux-based Internet worm known as Ramen -- named after the popular noodle soup -- has been seen in the wild affecting systems that run Red Hat Inc.'s 6.2 or 7.0 versions of the open-source OS, several Web security observers report.
The worm has struck a server at the U.S. National Aeronautics and Space Administration (NASA) Jet Propulsion Lab in California, a University of Texas A&M server and one operated in Taiwan by server vendor Supermicro Computer Inc., according to Attrition.org, a site that chronicles Web site defacements. The worm has been known of since about September 2000 when Red Hat developed a patch addressing the pesky worm.
The worm only affects servers running Red Hat's Linux and not any of Microsoft Corp.'s operating systems, computer security company Symantec Corp. said. The worm apparently hits sites that run Red Hat Linux and then spreads itself by locating like servers running the same OS.
Three known security breaches are struck by the Ramen worm, according to Kaspersky Lab International, an international data-security software-development company in Cambridge, U.K., in a statement. The breaches allow Ramen to take over root access rights and unbeknownst to the user execute its code on target file systems.
The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, in Pittsburgh, which put out an advisory about the Ramen worm on Jan. 18, warns that the worm could damage or alter Web-related files and system files. It also might create denial-of-service (DoS) conditions when altered or when destroyed files are not available. Ramen worm victims also are at high risk for "being party to attacks on other Internet sites," according to CERT's advisory.
If the worm does hit a system, it modifies the index.html file and defaces the Web site. It ultimately replaces the index.html file with the words "RameN Crew" and "Hackers looooooooooooooooove noodles." Then a message appears that says "This site powered by" and a picture of a Top Ramen noodles package is displayed, according to Symantec.
Red Hat has received some calls recently to its tech-support crew to assist with working through problems from the worm, said Melissa London, a spokeswoman for the company. But there have not been a lot of tech-support requests, she said. If users were on top of the patch notification, they should not be having problems, she said.
Red Hat, in Durham, North Carolina, can be reached at +1-919-547-0012 or http://www.redhat.com/. Symantec, in Cupertino, California, can be reached at +1-408-253-9600 or http://www.symantec.com/. CERT, at the Carnegie Mellon University, in Pittsburgh, can be reached at http://www.cert.org/. Kaspersky Lab, in Cambridge, U.K, can be reached at http://www.kaspersky.com/.