-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Internet Security Systems Security Alert
September 5, 2000
Trinity v3 Distributed Denial of Service tool
Synopsis:
A new Distributed Denial of Service tool, "Trinity v3", has been
discovered in the wild. There have been reports of up to 400 hosts
running
the Trinity agent. In one Internet Relay Chat (IRC) channel on the
Undernet network, there are 50 compromised hosts with Trinity
running,
with new hosts appearing every day. It is not known how many
different
versions of Trinity are in the wild.
Impact:
Distributed Denial of Service attacks can bring down a network by
flooding
target machines with large amounts of traffic. In February of this
year,
several of the Internet's biggest websites, including Yahoo,
Amazon.com,
Ebay and Buy.com were taken down for extended periods of time by
tools
similar to Trinity.
Description:
Trinity is a Distributed Denial of Service tool that is controlled by
IRC.
In the version that the X-Force has been analyzing, the agent binary
is
installed on a Linux system at /usr/lib/idle.so. When idle.so is
started,
it connects to an Undernet IRC server on port 6667. There is a list
of
servers in the binary:
204.127.145.17
216.24.134.10
208.51.158.10
199.170.91.114
207.173.16.33
207.96.122.250
205.252.46.98
216.225.7.155
205.188.149.3
207.69.200.131
207.114.4.35
When Trinity connects, it sets its nickname to the first 6 characters
of
the host name of the affected machine, plus 3 random letters or
numbers.
For example, the computer named machine.example.com would connect and
set
its nickname to machinabc, where abc is 3 random letters or numbers.
If
there is a period in the first 6 characters of the host name, the
period
is replaced by an underscore. In our copy of Trinity, it joins the
IRC
channel #b3eblebr0x using a special key. Once it's in the channel,
the
agent will wait for commands. Commands can be sent to individual
Trinity
agents, or sent to the channel and all agents will process the
command.
The flooding commands have this format: <flood> <password> <victim>
<time>, where flood is the type of flood, password is the agent's
password, victim is the victim's IP address, and time is the length
of
time to flood the agent, in seconds. The available flood types are
the
following:
tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"
Other available commands include:
ping: Ping each client. The client will respond with "(trinity)
someone
needs a miracle..."
size : Set the packet size for the flood, 0 for random.
port : Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies
with
" trinity v3 by self (an idle mind is the devil's playground)"
Another binary found on affected systems is /var/spool/uucp/uucico.
This
binary is not to be confused with the real "uucico", which resides in
/usr/sbin, or other default locations such as /usr/lib/uucp. This is
a
simple backdoor program that listens on TCP port 33270 for
connections.
When a connection is established, the attacker sends a password to
get a
root shell. The password in the binaries that we have analyzed is
"!@#".
When the uucico binary is executed it changes its name to "fsflush".
Recommendations:
Scan all systems for port 33270 connections. If any connections are
found,
telnet to that port and type "!@#". A system has been compromised if
there
is a root shell present after a successful connection to port 33270.
Use "ps" and "lsof" in the following manner to identify a port-shell
installed by Trinity:
# /usr/sbin/lsof -i TCP:33270
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN)
# /usr/sbin/lsof -c uucico
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
uucico 6862 root cwd DIR 8,1 4096 306099 /home/jlarimer
uucico 6862 root rtd DIR 8,1 4096 2 /
uucico 6862 root txt REG 8,1 4312 306589
/home/jlarimer/uucico
uucico 6862 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so
uucico 6862 root mem REG 8,1 4118299 416844
/lib/libc-2.1.2.so
uucico 6862 root 0u CHR 136,2 4 /dev/pts/2
uucico 6862 root 1u CHR 136,2 4 /dev/pts/2
uucico 6862 root 2u CHR 136,2 4 /dev/pts/2
uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN)
# ps 6862
PID TTY STAT TIME COMMAND
6862 pts/2 S 0:00 fsflush
Since the Trinity v3 agent does not listen on any ports, it may be
difficult to detect unless you are watching for suspicious IRC
traffic. If
a machine that has a Trinity agent installed is found, it may have
been
completely compromised. The operating system must be completely
reinstalled along with any available security patches.
Public chat systems can pose a legitimate security risk. It is up to
each
user's discretion to protect from malicious content distributed via
these
networks.
ISS RealSecure already contains functionality that may aid in
detection of
Trinity. Enable the IRC_Nick, IRC_Msg, and IRC_Join decodes via the
RealSecure console to help track IRC activity. These decodes can
detect
joins to the IRC channel #b3eblebr0x, as well as behavior associated
with
Trinity. In addition, security administrators may choose to enable a
connection event for TCP port 33270 to detect connections to the
portshell
that Trinity is installed on.
ISS Internet Scanner can be configured to scan machines on your
network with the TCP Port Scanner turned on. The TCP Port Scanner can
be
enabled by selecting it under the Services category in the Policy
Editor.
The TCP Port Scanner should be configured to scan port 33270. If
machines
are found to be listening on this port, they may have the Trinity
portshell installed.
The ISS X-Force will provide additional functionality to detect these
vulnerabilities in upcoming X-Press Updates for Internet Scanner,
RealSecure, and System Scanner.
Additional Information:
This information has been researched by Jon Larimer of
the Internet Security Systems X-Force.
______
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of
security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted
security
provider to its customers, protecting digital assets and ensuring
safe
and uninterrupted e-business. ISS' security management solutions
protect
more than 5,500 customers worldwide including 21 of the 25 largest
U.S.
commercial banks, 10 of the largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America
and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of
this Alert in any other medium excluding electronic medium, please
e-mail [EMAIL PROTECTED] for permission.
Disclaimer
The information within this paper may change without notice. Use of
this
information constitutes acceptance for use in an AS IS condition.
There
are NO warranties with regard to this information. In no event shall
the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of
this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well
as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
[EMAIL PROTECTED] of Internet Security Systems, Inc.
- --
Regards,
Gregory K Hunter
BG Networking
RLU# 187099
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBObaQbTqxit4AvJ4FEQIZvwCeISkJPClA/DlKx2/6ObiZptKcdpwAoN+3
ezDgD2D6HYk9JaPYsC4ByUvq
=ZW8O
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
