New hacker software ( TRINOO) could spread by email
New hacker software could spread by email
By John Borland
February 23, 2000, 4:35 a.m. PT
A group of anonymous programmers has released a new version of the software that may have
helped shut down Yahoo and Amazon.com earlier this month--one that makes it far easier to launch
attacks, computer experts say.
The tools, a new version of a software package dubbed "Trinoo," could allow attackers to infiltrate
ordinary desktop computers though an innocent-looking email attachment. These
computers--particularly those connected to high-speed Internet services--could then be used as
unwitting accomplices in assaults on other Web sites, security analysts say.
"(The previous attacks) took someone who knew what they were doing," Trend Micro spokesman
David Perry said. "This turns it into a kid-on-the-street problem."
The release of these tools follows some of the highest-profile computer attacks in the Web's
history. Using a method dubbed "distributed denial of service attacks," computer vandals
successfully rendered Yahoo, Amazon, eBay and a handful of other big Web sites paralyzed for
hours at a time by swamping them with a multitude of simultaneous requests.
The attacks have spurred law enforcement investigations around the globe, but the FBI has not
reported any major breakthroughs in the case.
Some speculation has centered on several individuals with hacker nicknames like "mafiaboy."
Canadian authorities investigated an Internet service provider last week that once hosted a
"mafiaboy" hacker-related site. But Canadian police said today that they had no progress to report in
Although no conclusive evidence has been released on exactly what tools were used in the denial of
service attacks, recent speculation has focused on tools with names like Trinoo, Tribe Flood
Network and Stacheldracht (German for "barbed wire").
These tools allow an attacker to place agents on "zombie" computers around the world and then
wake them up simultaneously to launch a crippling stream of Web traffic at a target site. Security
officials at the FBI and other computer security agencies have been warning of the danger these
tools pose for several months and have provided software to help guard against their use.
But the new version of Trinoo heightens the danger because it makes attacks easier to launch.
Because the new version can infiltrate Windows NT-, Windows 95- and Windows 98-based
machines, far more computers are at risk of becoming hosts.
The Windows version also allows the tools to be spread as apparently innocuous email
attachments, much like ordinary viruses. Computer security experts say they haven't seen this
happen yet, but that the Windows platform makes it relatively easy to do.
"This does make (denial of service attacks) easier," said Elias Levy, chief technical officer for
SecurityFocus.com, a computer security Web site. "Not that it required a lot of intelligence or skill
before. But this does bring it down another notch."
The new tools are largely a threat to users with always-on DSL (digital subscriber line) or cable
modem connections, analysts said.
This kind of threat has been seen before with the Back Orifice software, Levy noted. That package,
once surreptitiously installed on a system, allows an outside person to control the computer
remotely. The Trinoo package is geared more specifically for launching denial of service attacks,
Most of the major antivirus firms have already developed or are developing tools to scan for and
remove the new Trinoo software.
SUBJECT: NIPC INFORMATION SYSTEM ADVISORY 00-035: WIN9X VERSION OF DDOS TOOL.
1. THE NATIONAL INFRASTRUCTURE PROTECTION CENTER (NIPC) RECENTLY RECEIVED INFORMATION INDICATING THE POTENTIAL OF A WIN9X VERSION OF DISTRIBUTED DENIAL OF SERVICE (DDOS) TOOLS IN THE WILD. THE TOOL IS INITIALLY BELIEVED TO BE SIMILAR TO THE "TRINOO" AND "TRIBE FLOOD NETWORK (TFN)" UNIQUE TOOLS. NIPC DETERMINED THAT THE TOOL WAS FOUND ON 16 WINDOWS 98 MACHINES ON A UNIVERSITY NETWORK AND THAT THE TOOLS WERE INITIATING UDP PACKETS. EACH OF THE 16 SYSTEMS WERE FOUND TO CONTAIN A COPY OF BACK ORIFICE. THE INFECTED MACHINES APPEAR TO HAVE COMMUNICATED WITH A CONTROLLING NODE USING UDP PACKETS AND THE PNG' AND PONG' DATA USING THE FOLLOWING PORTS: PNG' RECEIVED BY INFECTED MACHINES ON DESTINATION PORT 34555/UDP, PONG' SENT BACK TO CONTROLLING NODE ON DESTINATION PORT 35555/UDP. THESE TOOLS WERE DETECTED BY THE SYSTEM ADMINISTRATOR DUE TO A HIGH VOLUME OF TRAFFIC.
ANALYSIS DETERMINED THAT THE TRINOO-LIKE AGENT APPEARED TO BE RUNNING AS "SERVICE EXE", AND THAT IT STARTED IN THE RUN REGISTRY ENTRY, AND LISTENED ON UDP PORT 34555 WHILE RUNNING. PARTIAL OUTPUT OF UNIX STRING COMMAND AGAINST THE SERVICE.EXE BINARY INCLUDED THE FOLLOWING LINES:
,LOGICIELS/INFORMATIQUE 1CC-WIN32 VERSION 3.0
THE LINE "C:\1CC\TRINOO\1CC\_.EXE" INDICATES ON THE INFECTED MACHINES THE BACK ORIFICE SERVER FILE NAME IS "_.EXE".
2. DDOS BINARIES HAVE BEEN DISSEMINATED TO ANTI-VIRUS VENDORS FOR POSSIBLE DESIGN OR MODIFICATION OF PRODUCTS TO DEFEAT THIS DDOS TOOL. BINARIES HAVE ALSO BEEN SENT TO CARNEGIE MELLON CERT/CC. NIPC REQUEST THAT ALL COMPUTER NETWORK OWNERS AND ORGANIZATIONS EXPEDITIOUSLY EXAMINE THEIR SYSTEMS FOR EVIDENCE OF THIS DENIAL OF SERVICE TOOL. RECIPIENTS ARE ASKED TO REPORT SIGNIFICANT OR SUSPECTED CRIMINAL ACTIVITY TO THEIR LOCAL FBI OFFICE, NIPC WATCH/WARNING UNIT, COMPUTER EMERGENCY RESPONSE SUPPORT AND OTHER LAW ENFORCEMENT AGENCIES, AS APPROPRIATE. THE NIPC WATCH AND WARNING UNIT CAN BE REACHED AT (202)323-3204/3205/3206, OR NIPC.WATCH@FBI.GOV.