Slashdot Mirror
Trinity DDoS Discovered
BulletValentine writes "ZDNet is reporting that approximately 400 machines have been found to be running Trinity v3, a DDoS attack program. Supposedly Trinity can set up to eight different types of flood attacks. ZDNet referred readers to Internet Security Solutions for more information about the attack and precautions to take."
-Denor
Open source is great because, although this bug has been overlooked, somebody now has the opportunity to track it down and fix it in a few hours. Try that with closed source programs...you'd have to wait until the vendor shipped a patch.
I found that part to be particularly amusing, for some strange reason. I know, it's an evil app, but I have to admire the interface. Might be a useful thing to use in legitimate administration systems - like maintaining a render farm, etc.
:)
Maybe it's just me, but IRC seems like a cool way to go about doing that...
Having your own channel to issue commands to your compromised minions of systems, really really feels like something out of SnowCrash, or maybe even BatMan...
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
There is a much better article at http://xforce.iss.net/alerts/advise59.php .
-------
Synopsis: A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild.
The flooding commands have this format: , where flood is the type of flood, password is the agent's password, victim is the victim's IP address, and time is the length of time to flood the agent, in seconds. The available flood types are the following:
tudp: "udpflood"
tfrag: "fragmentflood"
tsyn: "synflood"
trst: "rstflood"
trnd: "randomflagsflood"
tack: "ackflood"
testab: "establishflood"
tnull: "nullflood"
Other available commands include:
ping: Ping each client. The client will respond with "(trinity) someone
needs a miracle..." size : Set the packet size for the flood, 0 for random.
port : Set which port to hit, 0 for random.
ver?: Get the agent's version. The agent X-Force is analyzing replies with " trinity v3 by self (an idle mind is the devil's playground)"
-------------
-Pete
Soccer Goal Plans
according to this posting on the securityfocus INCIDENTS list, trinity is often propagated by the ever-popular rpc.statd exploit.
:)
oh, and the guy who posted to INCIDENTS beat out iss by >1 week.
btw, trinity is old news to the skr1p+ k1ddi3 scene.
--
Follow the white rabbit!
:-) = I am happy
:^) = I am happy with my big nose
C:\> = I am happy with my OS
Let me get this straight. There's a trojan floating around which requires some libraries be installed in secure locations, which requires root permissions. So the article goes on about how the trojan works, but gives not one indication of how the thing gets installed. Not to worry though, they have a product that will plug the hole for you.
Why do I smell old fish? It sounds to me that there is an attempt to sell a product by scare-mongering. How can an IRC chat session install files in a directory that requires root permissions? If someone is chatting in IRC as root and allows unchecked software to be installed from a remote server, aren't they getting what they deserve in the same way that I would get my just deserts from driving my car without motor oil? Open-source does not equate to security in spite of stupidity!!
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
I am so tired of hearing of these kinds of exploits. MS and Mac use these actions as an excuse to say the Unices are security hazards. Either these kiddies need to grow up or we must keep up our watch for these tools. Of course, I don't need to say this to most of you, but it is those that are lax in maintaining their machines that put others at risk.
nahtanoj
Is it just me, or do *all* the DDoS tools seem to arise from IRC? I am not saying this as anything bad against IRC. I personally use IRC quite a bit and find it to be an excellent tool for communication. What really bothers me is the little "hax0r kiddiez" who have nothing better to do than attempt to take over channels and brag to each other how 1337 they are (*not*).
Honestly, this was probably conceived of so somebody could flood an irc server and get it to split from the rest of the network. Especially if it is using irc as a control interface.
I find this kind of thing quite prevalent in many places. I was speaking to a kid (he's only 15) the other day who "created" a local ls exploit just for fun. This kind of thing freaks me out.
Software like this gets put on servers either through social engineering (convincing the admin to install it) or even more commonly by finding systems with security holes that have been well documented, "rooting" the system, and installing anything the attacker deems neccessary. It is fairly simple to do this.
Use nmap to scan an ip range. Keep details on what OS/daemons it is running. Search all your favorite script kiddie sites for exploits on those systems. Use exploit. Get root. Install DDoS daemon. Flood IRC server.
Look how '1337 you are now (*not*)!!!
wolf31o2 Developer, Gentoo Linux Games Team
---
Personally, I hate when any box I've got some access to or control of gets hacked.
However, I think that as we approach more and more intrusion on our privacy, especially our computer privacy, it isn't hard to see a Big Brother type situation in our future.
I see this kind of work as our "well-armed militia."
I think it's important that there are tools to take out tracking systems and privacy intrusion devices, just in case they are needed in the future.
For the most part it's a script kiddie effort.
Step 1: Obtain pre-made buffer overflow tool of the week.
Step 2: Sweep blocks of IP addresses for vulnerable machines (it's frighening how many publically accessible boxes aren't hardened).
Step 3: Gain access to vulnerable machines by "rooting" them, usually with a premade rootkit (most malicious attackers actually have no idea how most of the tools they use or the systems they're breaking into, work).
Step 4: With this newfound access to often many machines in a single sweep, install whatever you want (eg: Trinity) on them all.
Once the attacker has amassed enough machines to be his or her zombies, the attacker can trigger DDoS software on them all to hammer a specific site.
I don't know what's more frightening; the number of neglected servers running old, vulnerable services... or the growing number of home desktops with megabit+ net connections infected with remote administration trojans.
---
Where can the word be found, where can the word resound? Not here, there is not enough silence.
"Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot
MashPotato - Mobile Array of Support Helpers for Potato
-- "I can't tell the future, I just work there." -- The Doctor
And unfortunately, because of how most admins are lazy, the only solution seems to be:
Step 1: get the latest exploits
Step 2: Sweep IP blocks for vulnerable machines
Step 3: gain access to them and install SSH, add your own user account, and change the root password.
Step 4: secure the box, leave a polite message about the admin needing to be fired, and remove any other traces of your passage.
Once we've secured enough machines through these methods, kiddies won't be able to use them. Unfortunately, a lot of people don't like the idea that they could possibly be insecure, and resist and sort of proactive effort to cut off clueless admins at the knees.
Look how much resistance the RBL and MAPS and ORBS get.. and they're just shutting down "rather harmless" open relays. Compare this with a fleet of rooted boxen, and you see how much more serious *this* issue is.
--
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
What scares me is the number of remote exploits that have been found over the years in Linux-based utilities, and the difficulty of securing current Linux distributions in the face of all of these potential exploits. I have come to the conclusion that Linux is safe on the Internet only when configured as a single-purpose device with all other software removed. Thus I have an old Cyrix P150 now serving as a firewall doing nothing but IP masquerading and (internal) name resolution (it is not listening on the external network). The only service port open is OpenSSH. I have the thing wired to detect and counter all sorts of attacks, but I'm not going to go into that because one of those programs opens me up to a rather insidious Denial of Service attack that's harder to trace than the typical ping flood or smurf.
Does that make me secure? No. If it wasn't for the need to run CIPE, I would dump Linux on my firewall and run OpenBSD there.
BTW, if anybody wants a root kit, I saved the one the script kiddies left for me :-). Very interesting work. Obviously a derivative of one that I encountered in 1997 or so, but with some interesting twists. I especially liked the sweet little hack of 'ssh' that sits on a high port and gives instant root access to the attacker connecting to that port with the right private key. There's a couple of things I would do, if I were the author of this kit, to make it harder to detect though... I won't go into details here though, for obvious reasons. In any event, this particular kit is easily detectable by anybody who routinely examines the contents of their /var/log directory... and if you type 'locate t0rn' you'll see some files that 'ls' says don't exist... 'nuff said. If you're running Linux and you're connected to the Internet, you'd best go check 'locate' results now :-).
-E
Send mail here if you want to reach me.
There are some tools to detect that 'netstat' and 'ps' are no longer reporting the same stuff as what's being reported in /proc, but these tools do not come with the typical Linux distribution and could easily be hacked themselves if they became common. I won't mention particular tools 'cause I don't want to give the kiddies an idea what they're facing when they go against my system :-}.
-E
Send mail here if you want to reach me.
Unfortunately, no current Linux distribution comes with intrusion detection tools installed, running, or even mentioned in the documentation. They should. Especially given Linux's lousy record in this area (yes, problems are fixed quickly, but there are so MANY of them...).
-E
Send mail here if you want to reach me.
Could the originals recieve commands through IRC? If not, then his is still a new idea.