Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trinity DDoS Discovered

Posted by ryuzaki0 on from the people-with-to-much-spare-time dept.

BulletValentine writes "ZDNet is reporting that approximately 400 machines have been found to be running Trinity v3, a DDoS attack program. Supposedly Trinity can set up to eight different types of flood attacks. ZDNet referred readers to Internet Security Solutions for more information about the attack and precautions to take."

2 of 68 comments (clear)

  1. Better Article. by peterdaly · · Score: 5

    There is a much better article at http://xforce.iss.net/alerts/advise59.php .

    -------

    Synopsis: A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild.

    The flooding commands have this format: , where flood is the type of flood, password is the agent's password, victim is the victim's IP address, and time is the length of time to flood the agent, in seconds. The available flood types are the following:

    tudp: "udpflood"
    tfrag: "fragmentflood"
    tsyn: "synflood"
    trst: "rstflood"
    trnd: "randomflagsflood"
    tack: "ackflood"
    testab: "establishflood"
    tnull: "nullflood"


    Other available commands include:


    ping: Ping each client. The client will respond with "(trinity) someone
    needs a miracle..." size : Set the packet size for the flood, 0 for random.
    port : Set which port to hit, 0 for random.
    ver?: Get the agent's version. The agent X-Force is analyzing replies with " trinity v3 by self (an idle mind is the devil's playground)"

    -------------
    -Pete

    --
    Soccer Goal Plans
  2. What? by Shotgun · · Score: 5

    Let me get this straight. There's a trojan floating around which requires some libraries be installed in secure locations, which requires root permissions. So the article goes on about how the trojan works, but gives not one indication of how the thing gets installed. Not to worry though, they have a product that will plug the hole for you.

    Why do I smell old fish? It sounds to me that there is an attempt to sell a product by scare-mongering. How can an IRC chat session install files in a directory that requires root permissions? If someone is chatting in IRC as root and allows unchecked software to be installed from a remote server, aren't they getting what they deserve in the same way that I would get my just deserts from driving my car without motor oil? Open-source does not equate to security in spite of stupidity!!

    --
    Aah, change is good. -- Rafiki
    Yeah, but it ain't easy. -- Simba