New hacker software ( TRINOO) could spread
by email
New hacker software could spread by email
By John Borland
February 23, 2000, 4:35 a.m. PT
http://home.cnet.com/category/0-1005-200-1555637.html
A group of anonymous programmers has released a new version of
the software that may have
helped shut down Yahoo and Amazon.com earlier this month--one
that makes it far easier to launch
attacks, computer experts say.
The tools, a new version of a software package dubbed
"Trinoo," could allow attackers to infiltrate
ordinary desktop computers though an innocent-looking email
attachment. These
computers--particularly those connected to high-speed Internet
services--could then be used as
unwitting accomplices in assaults on other Web sites, security
analysts say.
"(The previous attacks) took someone who knew what they were
doing," Trend Micro spokesman
David Perry said. "This turns it into a kid-on-the-street
problem."
The release of these tools follows some of the highest-profile
computer attacks in the Web's
history. Using a method dubbed "distributed denial of
service attacks," computer vandals
successfully rendered Yahoo, Amazon, eBay and a handful of other
big Web sites paralyzed for
hours at a time by swamping them with a multitude of simultaneous
requests.
The attacks have spurred law enforcement investigations around
the globe, but the FBI has not
reported any major breakthroughs in the case.
Some speculation has centered on several individuals with hacker
nicknames like "mafiaboy."
Canadian authorities investigated an Internet service provider
last week that once hosted a
"mafiaboy" hacker-related site. But Canadian police
said today that they had no progress to report in
their investigation.
Although no conclusive evidence has been released on exactly what
tools were used in the denial of
service attacks, recent speculation has focused on tools with
names like Trinoo, Tribe Flood
Network and Stacheldracht (German for "barbed wire").
These tools allow an attacker to place agents on
"zombie" computers around the world and then
wake them up simultaneously to launch a crippling stream of Web
traffic at a target site. Security
officials at the FBI and other computer security agencies have
been warning of the danger these
tools pose for several months and have provided software to help
guard against their use.
But the new version of Trinoo heightens the danger because it
makes attacks easier to launch.
Because the new version can infiltrate Windows NT-, Windows 95-
and Windows 98-based
machines, far more computers are at risk of becoming hosts.
The Windows version also allows the tools to be spread as
apparently innocuous email
attachments, much like ordinary viruses. Computer security
experts say they haven't seen this
happen yet, but that the Windows platform makes it relatively
easy to do.
"This does make (denial of service attacks) easier,"
said Elias Levy, chief technical officer for
SecurityFocus.com, a computer security Web site. "Not that
it required a lot of intelligence or skill
before. But this does bring it down another notch."
The new tools are largely a threat to users with always-on DSL
(digital subscriber line) or cable
modem connections, analysts said.
This kind of threat has been seen before with the Back Orifice
software, Levy noted. That package,
once surreptitiously installed on a system, allows an outside
person to control the computer
remotely. The Trinoo package is geared more specifically for
launching denial of service attacks,
however.
Most of the major antivirus firms have already developed or are
developing tools to scan for and
remove the new Trinoo software.
ALSO ....
SUBJECT: NIPC INFORMATION SYSTEM ADVISORY 00-035: WIN9X VERSION OF DDOS TOOL.
1. THE NATIONAL INFRASTRUCTURE PROTECTION CENTER (NIPC) RECENTLY RECEIVED INFORMATION INDICATING THE POTENTIAL OF A WIN9X VERSION OF DISTRIBUTED DENIAL OF SERVICE (DDOS) TOOLS IN THE WILD. THE TOOL IS INITIALLY BELIEVED TO BE SIMILAR TO THE "TRINOO" AND "TRIBE FLOOD NETWORK (TFN)" UNIQUE TOOLS. NIPC DETERMINED THAT THE TOOL WAS FOUND ON 16 WINDOWS 98 MACHINES ON A UNIVERSITY NETWORK AND THAT THE TOOLS WERE INITIATING UDP PACKETS. EACH OF THE 16 SYSTEMS WERE FOUND TO CONTAIN A COPY OF BACK ORIFICE. THE INFECTED MACHINES APPEAR TO HAVE COMMUNICATED WITH A CONTROLLING NODE USING UDP PACKETS AND THE ‘PNG' AND ‘PONG' DATA USING THE FOLLOWING PORTS: ‘PNG' RECEIVED BY INFECTED MACHINES ON DESTINATION PORT 34555/UDP, ‘PONG' SENT BACK TO CONTROLLING NODE ON DESTINATION PORT 35555/UDP. THESE TOOLS WERE DETECTED BY THE SYSTEM ADMINISTRATOR DUE TO A HIGH VOLUME OF TRAFFIC.
ANALYSIS DETERMINED THAT THE TRINOO-LIKE AGENT APPEARED TO BE RUNNING AS "SERVICE EXE", AND THAT IT STARTED IN THE RUN REGISTRY ENTRY, AND LISTENED ON UDP PORT 34555 WHILE RUNNING. PARTIAL OUTPUT OF UNIX STRING COMMAND AGAINST THE SERVICE.EXE BINARY INCLUDED THE FOLLOWING LINES:
C:\1CC\TRINOO\NSFORK.C
LCCCRTO.C
,LOGICIELS/INFORMATIQUE 1CC-WIN32 VERSION 3.0
C:\1CC\TRINOO\1CC\_.EXE
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
PNG
BBB
AAA
THE LINE "C:\1CC\TRINOO\1CC\_.EXE" INDICATES ON THE INFECTED MACHINES THE BACK ORIFICE SERVER FILE NAME IS "_.EXE".
2. DDOS BINARIES HAVE BEEN DISSEMINATED TO ANTI-VIRUS VENDORS FOR POSSIBLE DESIGN OR MODIFICATION OF PRODUCTS TO DEFEAT THIS DDOS TOOL. BINARIES HAVE ALSO BEEN SENT TO CARNEGIE MELLON CERT/CC. NIPC REQUEST THAT ALL COMPUTER NETWORK OWNERS AND ORGANIZATIONS EXPEDITIOUSLY EXAMINE THEIR SYSTEMS FOR EVIDENCE OF THIS DENIAL OF SERVICE TOOL. RECIPIENTS ARE ASKED TO REPORT SIGNIFICANT OR SUSPECTED CRIMINAL ACTIVITY TO THEIR LOCAL FBI OFFICE, NIPC WATCH/WARNING UNIT, COMPUTER EMERGENCY RESPONSE SUPPORT AND OTHER LAW ENFORCEMENT AGENCIES, AS APPROPRIATE. THE NIPC WATCH AND WARNING UNIT CAN BE REACHED AT (202)323-3204/3205/3206, OR NIPC.WATCH@FBI.GOV.