DATE: January 24, 2001
Ramen worm propagation methods are detected by Symantec security products
Symantec's suite of security products is currently capable of detecting the intrusion methods used by the ramen worm now in circulation.
Ramen is a worm that exploits well-known Linux vulnerabilities to propagate and to compromise privileged access on the systems it infects. Specifically targeting Red Hat Linux, ramen will exploit one of the following three vulnerabilities depending on the version of Red Hat it encounters; rpc.statd, WU-FTP site exec, or LPRng. If the system encountered by the worm is Red Hat 6.x, then the RPC.statd and/or WU-FTP site exec vulnerabilities will be exploited. If Red Hat 7.0 is encountered, then the LPRng exploit is attempted. All three of these vulnerabilities are well known and vendor patches were available prior to ramen's release. However, many systems remain un-patched contributing to the successful spreading of ramen.
Symantec's NetProwler, a network intrusion detection tool, with Security Update 3 (SU3) installed is capable of detecting all three exploitation methods used by ramen. Intruder Alert, a host based intrusion detection tool, has a Linux agent available through your sales representative. With this Linux agent, Intruder Alert is capable of detecting both the rpc.statd and LPRng exploit methods used by ramen. And Symantec's Enterprise Security Manager (ESM), a host based security auditing tool, may be configured through data driven templates to detect all three vulnerabilities.
Additional ResourcesCERT Advisory CA-2000-22
CERT Incident Note IN-2001-01
ZDNet News Article on ramen
Symantec SWAT article on Linux vulnerabilities
Last modified on: Friday, 14-Feb-2003 13:25:14 PST