-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Alert
September 25, 2000

New Variants of Trinity and Stacheldraht Distributed Denial of Service Tools

Synopsis:

New versions of Stacheldraht and Trinity distributed denial of service (DDoS)
attack tools have been found in the wild. The new versions of Stacheldraht
include "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 1.666+smurf+yps".  A
variant of the Trinity tool called "entitee" has also been reported.

Impact:

Distributed Denial of Service attacks can bring down a network by flooding
target machines with large amounts of traffic.  In February of this year,
several of the Internet's largest Web sites, including Yahoo, Amazon.com, eBay,
and Buy.com were disrupted for extended periods of time by DDoS tools. These
new tools were detected in corporate networks, as well as in personal computers
with high speed network connections.  The prevalence of high speed DSL and
cable modem service magnifies these tools' potential effectiveness.


Description:

For an overview of the original Stacheldraht program, refer to the X-Force
Alert, "Denial of Service Attack using the TFN2K and Stacheldraht programs",
at:

http://xforce.iss.net/alerts/advise43.php. 

For more information, Dave Dittrich wrote a detailed analysis, which can be
found at:

http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt. 

In the newer version of the Stacheldraht program, there are several new 
commands. The following is complete list of commands in this new version:

.mtimer    .mudp    .micmp   .msyn    .mack  .mnul  
.mstream   .mhavoc  .mrandom .mip     .mfdns .msort 
.showalive .madd    .mlist   .msadd   .msrem .help
.setusize .setisize .mdie    .sprange .mstop .killall
.showdead .forceit  .left    .enter

The following commands have been added since the first versions of 
Stacheldraht:

.mack     Sends a TCP ACK flood.
.mnul     Send a NULL flood, which is like a TCP SYN flood, but with TCP flags
          set to 0.
.mstream  Send a stream attack flood. 
          (see http://xforce.iss.net/alerts/advise48.php)
.mhavoc   Send a "HAVOC" flood. This sends mixed ICMP, UDP, SYN, TCP random 
           flags and IP headers simultaneously.
.mrandom  Sends a flood of packets with random TCP headers.
.mip      Sends a flood of regular IP headers.
.mfdns    Sets the source port for floods to port 53. 
.msadd    Add a master server to the list of master servers.
.forceit  This will cause a .mstop command to stop all agents from flooding, even 
      if they are not flooding.
.left     Tells you how much time is left before an agent stops flooding.

IRC flooding commands:
.enter     Enter the IRC flooding interface.
.part      Part a channel.
.join      Join a channel.
.msg       Send a message flood.

In this version, the user is prompted for a password when building the 
binaries. There is no default password; however, there are some default 
values used. When running, the agent "td" uses the process name "(kswapd)".
When it spawns child processes, they are named "httpd". The master server
"mserv" uses the process name "(httpd)". When the master server is
communicating with the agent, ICMP packets are used. Each command is identified
by the ICMP ID header field. In the version obtained by the X-Force, the values
are as follows:

For the network flooding commands and replies:
699  Add an IP address to the list of addresses to be flooded
6666 Send IP header flood
7778 Send Stream attack
9000 Add new master server to the Stacheldraht network
9000 Spoof test reply
9001 Remove master server
9002 Distribute new versions of the agent
9003 Shutdown agent
9004 Set the amount of time to flood
9005 Set the ICMP packet size for ICMP-based floods
9006 Set the UDP packet size for UDP-based floods
9007 Set the port range for SYN floods
9012 Start a UDP flood
9013 Start a SYN flood
9014 Set the port for SYN floods
9015 Stop flooding
9016 Change spoofing mode
9017 Replies from the client
9028 Send Smurf attack
9055 Send ICMP flood
9113 Start an ACK flood
9213 Start a NULL flood
9668 Spoof test
9934 Send Havoc flood
9935 Send random TCP header flood
9936 Send DNS packet flood

For the IRC flooding commands:

1 Join IRC
4 Part Channel
5 Join Channel
6 Message Flood


For an overview of the Trinity DDoS tool, refer to the X-Force Alert, 
"Trinity v3 Distributed Denial of Service tool", at:

http://xforce.iss.net/alerts/advise59.php. 

At least 8 different versions of Trinity have been found on the Undernet
Internet Relay Chat (IRC) network by the Undernet operators, each using
different a IRC channel. On September 17, 2000, "Rod R00T" reported a new
variant of Trinity, called "entitee", to the INCIDENTS mailing list at
SecurityFocus.com. It is functionally equivalent to Trinity v3, but it uses
different channels, keys, and password.  Trinity v3 responds to commands in the
channel with a line beginning with "(trinity)", while entitee responds with
lines beginning with "(entitee)".

Recommendations:

The Stacheldraht and Trinity signatures in the ISS RealSecure intrustion
detection software are being updated to detect these new tools. To find a
Stacheldraht agent on your computer, use the lsof command:

[root@unix /root]# lsof | grep raw
td     1217  root    3u   raw             2083 00000000:0001->00000000:0000 
          st=07

[root@unix /root]# lsof -p 1217
COMMAND  PID USER   FD   TYPE DEVICE    SIZE   NODE NAME
td     1217 root  cwd    DIR    8,1    4096 497157 /root/stach+antigl/client
td     1217 root  rtd    DIR    8,1    4096      2 /
td     1217 root  txt    REG    8,1   99396 497190 /root/stach+antigl/client/td
td     1217 root  mem    REG    8,1  344890 416837 /lib/ld-2.1.2.so
td     1217 root  mem    REG    8,1 4118299 416844 /lib/libc-2.1.2.so
td     1217 root    0u   raw                  2218 00000000:0001->00000000:0000 
          st=07
td     1217 root    1u   CHR  136,1              3 /dev/pts/1
td     1217 root    2u   CHR  136,1              3 /dev/pts/1
td     1217 root    3u   raw                  2083 00000000:0001->00000000:0000 
          st=07

To locate a Stacheldraht master server on your computer:

[root@unix stach+antigl]# lsof -i TCP:60001
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
mserv   1346 root    3u  IPv4   2332       TCP *:60001 (LISTEN)

[root@unix stach+antigl]# lsof -p 1346 
COMMAND  PID USER   FD   TYPE DEVICE    SIZE   NODE NAME
mserv   1346 root  cwd    DIR    8,1    4096 497149 /root/stach+antigl
mserv   1346 root  rtd    DIR    8,1    4096      2 /
mserv   1346 root  txt    REG    8,1 1356288 497188 /root/stach+antigl/mserv
mserv   1346 root    0u   CHR  136,0              2 /dev/pts/0
mserv   1346 root    1u   CHR  136,0              2 /dev/pts/0
mserv   1346 root    2u   CHR  136,0              2 /dev/pts/0
mserv   1346 root    3u  IPv4   2332            TCP *:60001 (LISTEN)

For information on locating Trinity or Entitee on your machine, please see the 
X-Force Alert, "Trinity v3 Distributed Denial of Service tool", at:  

http://xforce.iss.net/alerts/advise59.php.

The ISS X-Force will provide additional functionality to detect these 
vulnerabilities in upcoming X-Press Updates for Internet Scanner, RealSecure, 
and System Scanner.

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.


About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading SAFEsuite
security software, remote managed security services, and strategic consulting
and education offerings, ISS is a trusted security provider to its customers,
protecting digital assets and ensuring safe and uninterrupted e-business. ISS'
security management solutions protect more than 5,500 customers worldwide
including 21 of the 25 largest U.S. commercial banks, 10 of the largest
telecommunications companies and over 35 government agencies. Founded in 1994,
ISS is headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin America
and the Middle East. For more information, visit the Internet Security Systems
web site at www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically.  It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in any
other medium excluding electronic medium, please e-mail xforce@iss.net for
permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information.  In no event shall the author be
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the user's own
risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on 
MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to X-Force, xforce@iss.net of 
Internet Security Systems, Inc.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOc/mgzRfJiV99eG9AQF33wQArffQtWP7L3peeayo7WwL6Dqrj7lW48VA
zNCcUixWIKoBIoh5hty0JGFBUWUL/Cb0Yw3jrYWohwCHenMUvQlHJICrADTSE+Hu
6651ykqbMGS9Og7EL8/FswK0d4nE7HqcvV+AZH37cTXPKiST+feKcbz5S6fJ6W9p
hFUVkMCNcY8=
=Fbeu
-----END PGP SIGNATURE-----