Published:
05 September 2000
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2000.242 -- Internet Security Systems Security Alert Trinity v3 Distributed Denial of Service tool 6 September 2000 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Impact: Distributed Denial of Service Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert September 5, 2000 Trinity v3 Distributed Denial of Service tool Synopsis: A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild. Impact: Distributed Denial of Service attacks can bring down a network by flooding target machines with large amounts of traffic. In February of this year, several of the Internet's biggest websites, including Yahoo, Amazon.com, Ebay and Buy.com were taken down for extended periods of time by tools similar to Trinity. Description: Trinity is a Distributed Denial of Service tool that is controlled by IRC. In the version that the X-Force has been analyzing, the agent binary is installed on a Linux system at /usr/lib/idle.so. When idle.so is started, it connects to an Undernet IRC server on port 6667. There is a list of servers in the binary: 204.127.145.17 216.24.134.10 208.51.158.10 199.170.91.114 207.173.16.33 207.96.122.250 205.252.46.98 216.225.7.155 205.188.149.3 207.69.200.131 207.114.4.35 When Trinity connects, it sets its nickname to the first 6 characters of the host name of the affected machine, plus 3 random letters or numbers. For example, the computer named machine.example.com would connect and set its nickname to machinabc, where abc is 3 random letters or numbers. If there is a period in the first 6 characters of the host name, the period is replaced by an underscore. In our copy of Trinity, it joins the IRC channel #b3eblebr0x using a special key. Once it's in the channel, the agent will wait for commands. Commands can be sent to individual Trinity agents, or sent to the channel and all agents will process the command. The flooding commands have this format: <flood> <password> <victim> <time>, where flood is the type of flood, password is the agent's password, victim is the victim's IP address, and time is the length of time to flood the agent, in seconds. The available flood types are the following: tudp: "udpflood" tfrag: "fragmentflood" tsyn: "synflood" trst: "rstflood" trnd: "randomflagsflood" tack: "ackflood" testab: "establishflood" tnull: "nullflood" Other available commands include: ping: Ping each client. The client will respond with "(trinity) someone needs a miracle..." size <size>: Set the packet size for the flood, 0 for random. port <port>: Set which port to hit, 0 for random. ver?: Get the agent's version. The agent X-Force is analyzing replies with "<trinity> trinity v3 by self (an idle mind is the devil's playground)" Another binary found on affected systems is /var/spool/uucp/uucico. This binary is not to be confused with the real "uucico", which resides in /usr/sbin, or other default locations such as /usr/lib/uucp. This is a simple backdoor program that listens on TCP port 33270 for connections. When a connection is established, the attacker sends a password to get a root shell. The password in the binaries that we have analyzed is "!@#". When the uucico binary is executed it changes its name to "fsflush". Recommendations: Scan all systems for port 33270 connections. If any connections are found, telnet to that port and type "!@#". A system has been compromised if there is a root shell present after a successful connection to port 33270. Use "ps" and "lsof" in the following manner to identify a port-shell installed by Trinity: # /usr/sbin/lsof -i TCP:33270 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN) # /usr/sbin/lsof -c uucico COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME uucico 6862 root cwd DIR 8,1 4096 306099 /home/jlarimer uucico 6862 root rtd DIR 8,1 4096 2 / uucico 6862 root txt REG 8,1 4312 306589 /home/jlarimer/uucico uucico 6862 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so uucico 6862 root mem REG 8,1 4118299 416844 /lib/libc-2.1.2.so uucico 6862 root 0u CHR 136,2 4 /dev/pts/2 uucico 6862 root 1u CHR 136,2 4 /dev/pts/2 uucico 6862 root 2u CHR 136,2 4 /dev/pts/2 uucico 6862 root 3u IPv4 11199 TCP *:33270 (LISTEN) # ps 6862 PID TTY STAT TIME COMMAND 6862 pts/2 S 0:00 fsflush Since the Trinity v3 agent does not listen on any ports, it may be difficult to detect unless you are watching for suspicious IRC traffic. If a machine that has a Trinity agent installed is found, it may have been completely compromised. The operating system must be completely reinstalled along with any available security patches. Public chat systems can pose a legitimate security risk. It is up to each user's discretion to protect from malicious content distributed via these networks. ISS RealSecure already contains functionality that may aid in detection of Trinity. Enable the IRC_Nick, IRC_Msg, and IRC_Join decodes via the RealSecure console to help track IRC activity. These decodes can detect joins to the IRC channel #b3eblebr0x, as well as behavior associated with Trinity. In addition, security administrators may choose to enable a connection event for TCP port 33270 to detect connections to the portshell that Trinity is installed on. ISS Internet Scanner can be configured to scan machines on your network with the TCP Port Scanner turned on. The TCP Port Scanner can be enabled by selecting it under the Services category in the Policy Editor. The TCP Port Scanner should be configured to scan port 33270. If machines are found to be listening on this port, they may have the Trinity portshell installed. The ISS X-Force will provide additional functionality to detect these vulnerabilities in upcoming X-Press Updates for Internet Scanner, RealSecure, and System Scanner. Additional Information: This information has been researched by Jon Larimer <jlarimer@iss.net> of the Internet Security Systems X-Force. ______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. - -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBObUUCzRfJiV99eG9AQHE9wQAuosI5Oda+qlRXe5FW34biFeZdJgfrrX3 Nd5Nfhgky7hSP4zeP/BFoZc5dlRh3TPORIWYDHtwyEmbQqiAhKkYRG6afx3PNJd3 xJi9DQhUzXYNbJOdSHH7ABeGEG2QF7xjahbNGBMOREZ1eaCIrVvkrO34p5UnQ9Y3 49IJQyKK2MI= =kcuQ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOlSMwCh9+71yA2DNAQHBbAP+Jdi02+xUvJjrv6JMdN5fADeJ17j+xLHV 6oWVN6NcEpi48XHw58ddZkQxWk+AvDkLowvV76TfXV3+kv7SiICG6V3bQshgL7vI szPdI/HfgbUjvEba3K42QGO3cv6P8hJDT5NYfBFNiyKhuaKruJVACbv3xTv+89kk +HHAfXYNc6s= =MLLq -----END PGP SIGNATURE-----