-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
September 5, 2000

Trinity v3 Distributed Denial of Service tool

Synopsis:
A new Distributed Denial of Service tool, "Trinity v3", has been
discovered in the wild. There have been reports of up to 400 hosts running
the Trinity agent. In one Internet Relay Chat (IRC) channel on the
Undernet network, there are 50 compromised hosts with Trinity running,
with new hosts appearing every day. It is not known how many different
versions of Trinity are in the wild.

Impact:

Distributed Denial of Service attacks can bring down a network by flooding
target machines with large amounts of traffic.  In February of this year,
several of the Internet's biggest websites, including Yahoo, Amazon.com,
Ebay and Buy.com were taken down for extended periods of time by tools
similar to Trinity.

Description:

Trinity is a Distributed Denial of Service tool that is controlled by IRC.
In the version that the X-Force has been analyzing, the agent binary is
installed on a Linux system at /usr/lib/idle.so. When idle.so is started,
it connects to an Undernet IRC server on port 6667. There is a list of
servers in the binary:

204.127.145.17
216.24.134.10
208.51.158.10
199.170.91.114
207.173.16.33
207.96.122.250
205.252.46.98
216.225.7.155
205.188.149.3
207.69.200.131
207.114.4.35

When Trinity connects, it sets its nickname to the first 6 characters of
the host name of the affected machine, plus 3 random letters or numbers.
For example, the computer named machine.example.com would connect and set
its nickname to machinabc, where abc is 3 random letters or numbers. If
there is a period in the first 6 characters of the host name, the period
is replaced by an underscore. In our copy of Trinity, it joins the IRC
channel #b3eblebr0x using a special key.  Once it's in the channel, the
agent will wait for commands. Commands can be sent to individual Trinity
agents, or sent to the channel and all agents will process the command. 

The flooding commands have this format: <flood> <password> <victim>
<time>, where flood is the type of flood, password is the agent's
password, victim is the victim's IP address, and time is the length of
time to flood the agent, in seconds. The available flood types are the
following:

tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"

Other available commands include:

ping: Ping each client. The client will respond with "(trinity) someone
needs a miracle..."
size <size>: Set the packet size for the flood, 0 for random.
port <port>: Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies with
"<trinity> trinity v3 by self (an idle mind is the devil's playground)"

Another binary found on affected systems is /var/spool/uucp/uucico. This
binary is not to be confused with the real "uucico", which resides in
/usr/sbin, or other default locations such as /usr/lib/uucp.  This is a
simple backdoor program that listens on TCP port 33270 for connections.
When a connection is established, the attacker sends a password to get a
root shell. The password in the binaries that we have analyzed is "!@#".
When the uucico binary is executed it changes its name to "fsflush".

Recommendations:

Scan all systems for port 33270 connections. If any connections are found,
telnet to that port and type "!@#". A system has been compromised if there
is a root shell present after a successful connection to port 33270.  

Use "ps" and "lsof" in the following manner to identify a port-shell
installed by Trinity:

# /usr/sbin/lsof -i TCP:33270
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
uucico  6862 root    3u  IPv4  11199       TCP *:33270 (LISTEN)

# /usr/sbin/lsof -c uucico 
COMMAND  PID USER   FD   TYPE DEVICE    SIZE   NODE NAME
uucico  6862 root  cwd    DIR    8,1    4096 306099 /home/jlarimer
uucico  6862 root  rtd    DIR    8,1    4096      2 /
uucico  6862 root  txt    REG    8,1    4312 306589 /home/jlarimer/uucico
uucico  6862 root  mem    REG    8,1  344890 416837 /lib/ld-2.1.2.so
uucico  6862 root  mem    REG    8,1 4118299 416844 /lib/libc-2.1.2.so
uucico  6862 root    0u   CHR  136,2              4 /dev/pts/2
uucico  6862 root    1u   CHR  136,2              4 /dev/pts/2
uucico  6862 root    2u   CHR  136,2              4 /dev/pts/2
uucico  6862 root    3u  IPv4  11199            TCP *:33270 (LISTEN)

# ps 6862 
  PID TTY      STAT   TIME COMMAND
 6862 pts/2    S      0:00 fsflush


Since the Trinity v3 agent does not listen on any ports, it may be
difficult to detect unless you are watching for suspicious IRC traffic. If
a machine that has a Trinity agent installed is found, it may have been
completely compromised. The operating system must be completely
reinstalled along with any available security patches.

Public chat systems can pose a legitimate security risk.  It is up to each
user's discretion to protect from malicious content distributed via these
networks.

ISS RealSecure already contains functionality that may aid in detection of
Trinity.  Enable the IRC_Nick, IRC_Msg, and IRC_Join decodes via the
RealSecure console to help track IRC activity.  These decodes can detect
joins to the IRC channel #b3eblebr0x, as well as behavior associated with
Trinity.  In addition, security administrators may choose to enable a
connection event for TCP port 33270 to detect connections to the portshell
that Trinity is installed on.

ISS Internet Scanner can be configured to scan machines on your
network with the TCP Port Scanner turned on. The TCP Port Scanner can be
enabled by selecting it under the Services category in the Policy Editor.
The TCP Port Scanner should be configured to scan port 33270. If machines
are found to be listening on this port, they may have the Trinity
portshell installed. 

The ISS X-Force will provide additional functionality to detect these
vulnerabilities in upcoming X-Press Updates for Internet Scanner,
RealSecure, and System Scanner.

Additional Information:

This information has been researched by Jon Larimer <jlarimer@iss.net> of
the Internet Security Systems X-Force.

______ 

About Internet Security Systems (ISS) 
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe and
uninterrupted e-business. ISS' security management solutions protect more
than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and over
35 government agencies. Founded in 1994, ISS is headquartered in Atlanta,
GA, with additional offices throughout North America and international
operations in Asia, Australia, Europe, Latin America and the Middle East.
For more information, visit the Internet Security Systems web site at
www.iss.net or call 888-901-7477.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force xforce@iss.net
of Internet Security Systems, Inc.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBObUUCzRfJiV99eG9AQHE9wQAuosI5Oda+qlRXe5FW34biFeZdJgfrrX3
Nd5Nfhgky7hSP4zeP/BFoZc5dlRh3TPORIWYDHtwyEmbQqiAhKkYRG6afx3PNJd3
xJi9DQhUzXYNbJOdSHH7ABeGEG2QF7xjahbNGBMOREZ1eaCIrVvkrO34p5UnQ9Y3
49IJQyKK2MI=
=kcuQ
-----END PGP SIGNATURE-----