what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Internet Security Systems Security Alert September 5, 2000

Internet Security Systems Security Alert September 5, 2000
Posted Sep 6, 2000
Site xforce.iss.net

A new Distributed Denial of Service tool, Trinity v3, has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild.

tags | denial of service, tcp
SHA-256 | ae3410dfb4415f157d96a9862a755d7384dbf4c77f8018d7149d5452d989b3e6

Internet Security Systems Security Alert September 5, 2000

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
September 5, 2000

Trinity v3 Distributed Denial of Service tool

Synopsis:
A new Distributed Denial of Service tool, "Trinity v3", has been
discovered in the wild. There have been reports of up to 400 hosts running
the Trinity agent. In one Internet Relay Chat (IRC) channel on the
Undernet network, there are 50 compromised hosts with Trinity running,
with new hosts appearing every day. It is not known how many different
versions of Trinity are in the wild.

Impact:

Distributed Denial of Service attacks can bring down a network by flooding
target machines with large amounts of traffic. In February of this year,
several of the Internet's biggest websites, including Yahoo, Amazon.com,
Ebay and Buy.com were taken down for extended periods of time by tools
similar to Trinity.

Description:

Trinity is a Distributed Denial of Service tool that is controlled by IRC.
In the version that the X-Force has been analyzing, the agent binary is
installed on a Linux system at /usr/lib/idle.so. When idle.so is started,
it connects to an Undernet IRC server on port 6667. There is a list of
servers in the binary:

204.127.145.17
216.24.134.10
208.51.158.10
199.170.91.114
207.173.16.33
207.96.122.250
205.252.46.98
216.225.7.155
205.188.149.3
207.69.200.131
207.114.4.35

When Trinity connects, it sets its nickname to the first 6 characters of
the host name of the affected machine, plus 3 random letters or numbers.
For example, the computer named machine.example.com would connect and set
its nickname to machinabc, where abc is 3 random letters or numbers. If
there is a period in the first 6 characters of the host name, the period
is replaced by an underscore. In our copy of Trinity, it joins the IRC
channel #b3eblebr0x using a special key. Once it's in the channel, the
agent will wait for commands. Commands can be sent to individual Trinity
agents, or sent to the channel and all agents will process the command.

The flooding commands have this format: <flood> <password> <victim>
<time>, where flood is the type of flood, password is the agent's
password, victim is the victim's IP address, and time is the length of
time to flood the agent, in seconds. The available flood types are the
following:

tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"

Other available commands include:

ping: Ping each client. The client will respond with "(trinity) someone
needs a miracle..."
size <size>: Set the packet size for the flood, 0 for random.
port <port>: Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies with
"<trinity> trinity v3 by self (an idle mind is the devil's playground)"

Another binary found on affected systems is /var/spool/uucp/uucico. This
binary is not to be confused with the real "uucico", which resides in
/usr/sbin, or other default locations such as /usr/lib/uucp. This is a
simple backdoor program that listens on TCP port 33270 for connections.
When a connection is established, the attacker sends a password to get a
root shell. The password in the binaries that we have analyzed is "!@#".
When the uucico binary is executed it changes its name to "fsflush".

Recommendations:

Scan all systems for port 33270 connections. If any connections are found,
telnet to that port and type "!@#". A system has been compromised if there
is a root shell present after a successful connection to port 33270.

Use "ps" and "lsof" in the following manner to identify a port-shell
installed by Trinity:

# /usr/sbin/lsof -i TCP:33270
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN)

# /usr/sbin/lsof -c uucico
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
uucico 6862 root cwd DIR 8,1 4096 306099 /home/jlarimer
uucico 6862 root rtd DIR 8,1 4096 2 /
uucico 6862 root txt REG 8,1 4312 306589 /home/jlarimer/uucico
uucico 6862 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so
uucico 6862 root mem REG 8,1 4118299 416844 /lib/libc-2.1.2.so
uucico 6862 root 0u CHR 136,2 4 /dev/pts/2
uucico 6862 root 1u CHR 136,2 4 /dev/pts/2
uucico 6862 root 2u CHR 136,2 4 /dev/pts/2
uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN)

# ps 6862
PID TTY STAT TIME COMMAND
6862 pts/2 S 0:00 fsflush


Since the Trinity v3 agent does not listen on any ports, it may be
difficult to detect unless you are watching for suspicious IRC traffic. If
a machine that has a Trinity agent installed is found, it may have been
completely compromised. The operating system must be completely
reinstalled along with any available security patches.

Public chat systems can pose a legitimate security risk. It is up to each
user's discretion to protect from malicious content distributed via these
networks.

ISS RealSecure already contains functionality that may aid in detection of
Trinity. Enable the IRC_Nick, IRC_Msg, and IRC_Join decodes via the
RealSecure console to help track IRC activity. These decodes can detect
joins to the IRC channel #b3eblebr0x, as well as behavior associated with
Trinity. In addition, security administrators may choose to enable a
connection event for TCP port 33270 to detect connections to the portshell
that Trinity is installed on.

ISS Internet Scanner can be configured to scan machines on your
network with the TCP Port Scanner turned on. The TCP Port Scanner can be
enabled by selecting it under the Services category in the Policy Editor.
The TCP Port Scanner should be configured to scan port 33270. If machines
are found to be listening on this port, they may have the Trinity
portshell installed.

The ISS X-Force will provide additional functionality to detect these
vulnerabilities in upcoming X-Press Updates for Internet Scanner,
RealSecure, and System Scanner.

Additional Information:

This information has been researched by Jon Larimer <jlarimer@iss.net> of
the Internet Security Systems X-Force.

______

About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe and
uninterrupted e-business. ISS' security management solutions protect more
than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and over
35 government agencies. Founded in 1994, ISS is headquartered in Atlanta,
GA, with additional offices throughout North America and international
operations in Asia, Australia, Europe, Latin America and the Middle East.
For more information, visit the Internet Security Systems web site at
www.iss.net or call 888-901-7477.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net
of Internet Security Systems, Inc.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBObUUCzRfJiV99eG9AQHE9wQAuosI5Oda+qlRXe5FW34biFeZdJgfrrX3
Nd5Nfhgky7hSP4zeP/BFoZc5dlRh3TPORIWYDHtwyEmbQqiAhKkYRG6afx3PNJd3
xJi9DQhUzXYNbJOdSHH7ABeGEG2QF7xjahbNGBMOREZ1eaCIrVvkrO34p5UnQ9Y3
49IJQyKK2MI=
=kcuQ
-----END PGP SIGNATURE-----



Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close