ISS Security Alert Update
February 28, 2000
trin00 for Windows Distributed Denial of Service Attack Tool
A new version of trin00 that runs on Microsoft Windows machines has been
discovered. Trin00 was first discussed in the ISS Security Alert "Denial of
Service Attack Using the trin00 and Tribe Flood Network Programs" on
December 7, 1999, and available at
http://xforce.iss.net/alerts/advise40.php3. The executable that has been
found is a trin00 daemon. It is unclear if there is a Windows version of the
trin00 master or if the Windows daemons are controlled by a Unix master.
The Windows version of trin00 is similar to the Unix version. The daemon for
Windows trin00 listens on port 34555, while the Unix version listens by
default on port 27444. Unlike the Unix version of the trin00 daemon, the
Windows daemon does not try to contact the master server to register. The
ISS X-Force believes that this is to prevent someone who finds the daemon on
a Windows machine from finding the IP address of the master by looking in
the binary executable. In the Unix version of trin00, it is possible to
retrieve the IP address of the master by examining the binary executable.
The password used for the UDP communications between master and daemon is
also different. In the Unix version, it is "l44adsl" by default. In the
Windows version, the default password is "..Ks".
It appears that Backdoors such as BackOrifice and SubSeven are being used in
conjunction with the deployment of trin00 for Windows. ISS strongly
recommends scanning your network for the presence of Windows Backdoors. ISS
SAFEsuite has signatures to detect most known Windows Backdoors. For more
information on Windows Backdoors, refer to X-Force advisories on
The ISS X-Force is updating the ISS SAFEsuite security assessment and
intrusion detection software, Internet Scanner and RealSecure, to detect
trin00 on these new ports.. If you find trin00 on a Windows machine, open the
registry, locate the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run,
and find the value named "System Services". The data will be "service.exe".
Delete this registry entry and then end the service.exe process on your
machine. To do this on Windows 95 and Windows 98, press CTRL+ALT+DEL to
display the Task List, and end the service.exe process. In Windows NT, start
Task Manager and end the service.exe process. Service.exe should be removed
from affected systems. By default, this file is located in the Windows
ISS Internet Scanner can be configured to scan Windows machines on your
network with the UDP Port Scanner turned on. The UDP Port Scanner is enabled
by selecting it under the Services category in the Policy Editor. The UDP
Port Scanner should be configured to scan port 34555. If machines are found
to be listening on this port, they may have Windows trin00 installed. It is
also recommended to scan your network for Backdoors. It is possible that
Backdoors are being used to install Windows trin00.
ISS RealSecure can be configured to look for UDP communications between the
trin00 master and agent by looking for UDP traffic over port 34555. Traffic
on this port may also indicate that trin00 is installed on a machine.
To prevent connections from Master machines to compromised hosts, block UDP
traffic on port 34555 on firewalls and routers.
About Internet Security Systems
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services and industry-leading
expertise, ISS serves as its customers' trusted security provider protecting
digital assets and ensuring the availability, confidentiality and integrity
of computer systems and information critical to e-business success. ISS'
security management solutions protect more than 5,000 customers including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies. Founded in
1994, ISS is headquartered in Atlanta, GA, with additional offices
throughout North America and international operations in Asia, Australia,
Europe and Latin America. For more information, visit the ISS Web site at
www.iss.net or call
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
firstname.lastname@example.org for permission.