ISS Security Alert Update
February 28, 2000
trin00 for Windows Distributed Denial of Service Attack Tool
Synopsis:
A new version of trin00 that runs on Microsoft Windows machines
has been
discovered. Trin00 was first discussed in the ISS Security Alert
"Denial of
Service Attack Using the trin00 and Tribe Flood Network
Programs" on
December 7, 1999, and available at
http://xforce.iss.net/alerts/advise40.php3. The executable that
has been
found is a trin00 daemon. It is unclear if there is a Windows
version of the
trin00 master or if the Windows daemons are controlled by a Unix
master.
Description:
The Windows version of trin00 is similar to the Unix version. The
daemon for
Windows trin00 listens on port 34555, while the Unix version
listens by
default on port 27444. Unlike the Unix version of the trin00
daemon, the
Windows daemon does not try to contact the master server to
register. The
ISS X-Force believes that this is to prevent someone who finds
the daemon on
a Windows machine from finding the IP address of the master by
looking in
the binary executable. In the Unix version of trin00, it is
possible to
retrieve the IP address of the master by examining the binary
executable.
The password used for the UDP communications between master and
daemon is
also different. In the Unix version, it is "l44adsl" by
default. In the
Windows version, the default password is "[]..Ks".
It appears that Backdoors such as BackOrifice and SubSeven are
being used in
conjunction with the deployment of trin00 for Windows. ISS
strongly
recommends scanning your network for the presence of Windows
Backdoors. ISS
SAFEsuite has signatures to detect most known Windows Backdoors.
For more
information on Windows Backdoors, refer to X-Force advisories on
http://xforce.iss.net.
Recommendations:
The ISS X-Force is updating the ISS SAFEsuite security assessment
and
intrusion detection software, Internet Scanner and RealSecure, to
detect
trin00 on these new ports.. If you find trin00 on a Windows
machine, open the
registry, locate the key
HKLM\Software\Microsoft\Windows\CurrentVersion\Run,
and find the value named "System Services". The data
will be "service.exe".
Delete this registry entry and then end the service.exe process
on your
machine. To do this on Windows 95 and Windows 98, press
CTRL+ALT+DEL to
display the Task List, and end the service.exe process. In
Windows NT, start
Task Manager and end the service.exe process. Service.exe should
be removed
from affected systems. By default, this file is located in the
Windows
system directory.
ISS Internet Scanner can be configured to scan Windows machines
on your
network with the UDP Port Scanner turned on. The UDP Port Scanner
is enabled
by selecting it under the Services category in the Policy Editor.
The UDP
Port Scanner should be configured to scan port 34555. If machines
are found
to be listening on this port, they may have Windows trin00
installed. It is
also recommended to scan your network for Backdoors. It is
possible that
Backdoors are being used to install Windows trin00.
ISS RealSecure can be configured to look for UDP communications
between the
trin00 master and agent by looking for UDP traffic over port
34555. Traffic
on this port may also indicate that trin00 is installed on a
machine.
To prevent connections from Master machines to compromised hosts,
block UDP
traffic on port 34555 on firewalls and routers.
About Internet Security Systems
(ISS)
ISS is a leading global provider of security management solutions
for
e-business. By offering best-of-breed SAFEsuite(tm) security
software,
comprehensive ePatrol(tm) monitoring services and
industry-leading
expertise, ISS serves as its customers' trusted security provider
protecting
digital assets and ensuring the availability, confidentiality and
integrity
of computer systems and information critical to e-business
success. ISS'
security management solutions protect more than 5,000 customers
including 21
of the 25 largest U.S. commercial banks, 9 of the 10 largest
telecommunications companies and over 35 government agencies.
Founded in
1994, ISS is headquartered in Atlanta, GA, with additional
offices
throughout North America and international operations in Asia,
Australia,
Europe and Latin America. For more information, visit the ISS Web
site at
www.iss.net or call
888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent
of the X-Force. If you wish to reprint the whole or any part of
this Alert
in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.