[Hackerlink] FLASH: Update and Correction on Windows Trinoo Report

Fri, 25 Feb 2000 08:11:40 -0800 

To: Milis Hackerlink (SD434033)
From: Alan at the SANS NewsBites Service

Gary Flynn of James Madison University has posted substantial additional
information about the copies of trinoo-like code found on Windows PCs,
described in the NewsBites that you received earlier today.

In a report entitled "Wintrinoo" provided at 3:01 PM EST, Gary noted
the following:

1. The number of machines infected was not 160.  He reported that he
   found 149 machines that were listening on port 34555, but that the
   number of machines actually infected may have been substantially less
   because of possibility of false positives.

2. He also reported that he discovered 16 of the computers (all running
   Windows, and at least 5 running Windows98) "sending out large numbers
   of UDP packets on random ports."

3. He noted that all 16 machines were infected with the BackOrifice
   remote control Trojan.

4. After removing BackOrifice from one of the machines, he discovered
   the computer again participating in a UDP flood. That led to the discovery
   of a program that was reported to CERT as a possible variant of the
   trinoo distributed denial of service tool.  CERT is analyzing this.

Gary's technical expertise and rapid response is helping the entire
community to be better informed.  We're sorry that our initial report
didn't have the precision that Gary's latest posting has provided.
We'll keep you informed as we hear of new developments.

The bottom line: PCs running Windows at universities have been found
participating in distributed denial of service attacks. The next step
is to ask the virus detection vendors to find and eradicate the flooding
programs -- Gary has forwarded the code to them.

                                                Alan

>> HACKERLINK akan segera dipindahkan ke server baru, oleh karena 
   itu dukungan teknis untuk milis akan terhenti untuk beberapa
   waktu. 

 http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX :: 
 -------------------------------------------------------------------
 untuk berhenti kirim  email  ke  [EMAIL PROTECTED]
 untuk melihat peraturan kirim email  ke  [EMAIL PROTECTED]
 arsip berada di  http://www.mail-archive.com/[email protected]

Kirim email ke