Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trinity DDoS Discovered

Posted by ryuzaki0 on from the people-with-to-much-spare-time dept.

BulletValentine writes "ZDNet is reporting that approximately 400 machines have been found to be running Trinity v3, a DDoS attack program. Supposedly Trinity can set up to eight different types of flood attacks. ZDNet referred readers to Internet Security Solutions for more information about the attack and precautions to take."

8 of 68 comments (clear)

  1. Too many announcements by Denor · · Score: 3
    ZDNet is reporting that approximately 400 machines have been found to be running Trinity v3
    You know you've been browsing too many software announcements when you see that paragraph and yell "For the last time, this is not Freshmeat!"
    --
    -Denor
  2. Better Article. by peterdaly · · Score: 5

    There is a much better article at http://xforce.iss.net/alerts/advise59.php .

    -------

    Synopsis: A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild.

    The flooding commands have this format: , where flood is the type of flood, password is the agent's password, victim is the victim's IP address, and time is the length of time to flood the agent, in seconds. The available flood types are the following:

    tudp: "udpflood"
    tfrag: "fragmentflood"
    tsyn: "synflood"
    trst: "rstflood"
    trnd: "randomflagsflood"
    tack: "ackflood"
    testab: "establishflood"
    tnull: "nullflood"


    Other available commands include:


    ping: Ping each client. The client will respond with "(trinity) someone
    needs a miracle..." size : Set the packet size for the flood, 0 for random.
    port : Set which port to hit, 0 for random.
    ver?: Get the agent's version. The agent X-Force is analyzing replies with " trinity v3 by self (an idle mind is the devil's playground)"

    -------------
    -Pete

    --
    Soccer Goal Plans
  3. Re:Only half the story. by Phexro · · Score: 3

    according to this posting on the securityfocus INCIDENTS list, trinity is often propagated by the ever-popular rpc.statd exploit.

    oh, and the guy who posted to INCIDENTS beat out iss by >1 week. :)

    btw, trinity is old news to the skr1p+ k1ddi3 scene.
    --

  4. What? by Shotgun · · Score: 5

    Let me get this straight. There's a trojan floating around which requires some libraries be installed in secure locations, which requires root permissions. So the article goes on about how the trojan works, but gives not one indication of how the thing gets installed. Not to worry though, they have a product that will plug the hole for you.

    Why do I smell old fish? It sounds to me that there is an attempt to sell a product by scare-mongering. How can an IRC chat session install files in a directory that requires root permissions? If someone is chatting in IRC as root and allows unchecked software to be installed from a remote server, aren't they getting what they deserve in the same way that I would get my just deserts from driving my car without motor oil? Open-source does not equate to security in spite of stupidity!!

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba
    1. Re:What? by ichimunki · · Score: 4

      The key here is that the systems have been compromised using a completely un-IRC-related flaw in rpc.statd (check securityfocus.com for more info). This has nothing to do with IRCing as root and allowing remote installs. The agent installed on the compromised machine then uses IRC to accept commands, either privately or from the public channel. An ingenious way to broadcast commands to clients, imho. This could be extended to download files/scripts on the fly via dcc transfers and/or to recognize commands as separate from idle chatter on the channel. On a LAN with IRCd on a secure server, this could be fun. As a tool for DDoS it's still crafty since it alleviates the need for the cracker to be logged into all the compromised machines or even to remember which machines are cracked-- they come to him/her.

      --
      I do not have a signature
  5. DDoS and IRC by FeeDBaCK · · Score: 3

    Is it just me, or do *all* the DDoS tools seem to arise from IRC? I am not saying this as anything bad against IRC. I personally use IRC quite a bit and find it to be an excellent tool for communication. What really bothers me is the little "hax0r kiddiez" who have nothing better to do than attempt to take over channels and brag to each other how 1337 they are (*not*).

    Honestly, this was probably conceived of so somebody could flood an irc server and get it to split from the rest of the network. Especially if it is using irc as a control interface.

    I find this kind of thing quite prevalent in many places. I was speaking to a kid (he's only 15) the other day who "created" a local ls exploit just for fun. This kind of thing freaks me out.

    Software like this gets put on servers either through social engineering (convincing the admin to install it) or even more commonly by finding systems with security holes that have been well documented, "rooting" the system, and installing anything the attacker deems neccessary. It is fairly simple to do this.

    Use nmap to scan an ip range. Keep details on what OS/daemons it is running. Search all your favorite script kiddie sites for exploits on those systems. Use exploit. Get root. Install DDoS daemon. Flood IRC server.

    Look how '1337 you are now (*not*)!!!

    --
    wolf31o2 Developer, Gentoo Linux Games Team
    1. Re:DDoS and IRC by happystink · · Score: 3
      as I think we all know, IRC is a magnet for annoying people. I used to work at an ISP who got DOSed all the time because they let a customer run an irc server from an old machine there. Once they just got rid of the irc server they went forever without a single attack.

      It's nice to say "you can't blame a protocol for these problems", but when 99% of the protocol's users are annoying 12 yr olds, then I do.

      sig:

      --

      sig:
      See the "..for smart people" banners Wired runs here? Look elsewhere guys.

  6. Re:Freaky... by itarget · · Score: 4

    For the most part it's a script kiddie effort.

    Step 1: Obtain pre-made buffer overflow tool of the week.
    Step 2: Sweep blocks of IP addresses for vulnerable machines (it's frighening how many publically accessible boxes aren't hardened).
    Step 3: Gain access to vulnerable machines by "rooting" them, usually with a premade rootkit (most malicious attackers actually have no idea how most of the tools they use or the systems they're breaking into, work).
    Step 4: With this newfound access to often many machines in a single sweep, install whatever you want (eg: Trinity) on them all.

    Once the attacker has amassed enough machines to be his or her zombies, the attacker can trigger DDoS software on them all to hammer a specific site.

    I don't know what's more frightening; the number of neglected servers running old, vulnerable services... or the growing number of home desktops with megabit+ net connections infected with remote administration trojans.
    ---
    Where can the word be found, where can the word resound? Not here, there is not enough silence.

    --

    "Where shall the word be found, where will the word resound? Not here, there is not enough silence." -T.S. Eliot