IP: new DoS attack

[Dave Farber <farber () cis upenn edu>]

> X-Sender: laubach () sogo matmos com
> Date: Wed, 6 Sep 2000 12:01:32 -0700
> To: farber () cis upenn edu
> From: Mark Laubach <laubach () matmos com>
> Subject: Fwd: new DoS attack
>
> Dunno validity, but interesting.
> Mark
>
> --- begin forwarded text
>
>
> Delivered-To: firewalls () lists gnac net
> Reply-To: <gkhunter () bgnetworking com>
> From: "Gregory K Hunter \(BG Networking\)" <gkhunter () bgnetworking com>
> To: "Firewalls \(E-mail\)" <firewalls () Lists GNAC NET>
> Subject: new DoS attack
> Date: Wed, 6 Sep 2000 11:43:57 -0700
> X-Priority: 1 (Highest)
> Importance: High
> Sender: firewalls-owner () Lists GNAC NET
> X-Loop: firewalls () lists gnac net
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Internet Security Systems Security Alert
> September 5, 2000
>
> Trinity v3 Distributed Denial of Service tool
>
> Synopsis:
> A new Distributed Denial of Service tool, "Trinity v3", has been
> discovered in the wild. There have been reports of up to 400 hosts
> running
> the Trinity agent. In one Internet Relay Chat (IRC) channel on the
> Undernet network, there are 50 compromised hosts with Trinity
> running,
> with new hosts appearing every day. It is not known how many
> different
> versions of Trinity are in the wild.
>
> Impact:
>
> Distributed Denial of Service attacks can bring down a network by
> flooding
> target machines with large amounts of traffic.  In February of this
> year,
> several of the Internet's biggest websites, including Yahoo,
> Amazon.com,
> Ebay and Buy.com were taken down for extended periods of time by
> tools
> similar to Trinity.
>
> Description:
>
> Trinity is a Distributed Denial of Service tool that is controlled by
> IRC.
> In the version that the X-Force has been analyzing, the agent binary
> is
> installed on a Linux system at /usr/lib/idle.so. When idle.so is
> started,
> it connects to an Undernet IRC server on port 6667. There is a list
> of
> servers in the binary:
>
> 204.127.145.17
> 216.24.134.10
> 208.51.158.10
> 199.170.91.114
> 207.173.16.33
> 207.96.122.250
> 205.252.46.98
> 216.225.7.155
> 205.188.149.3
> 207.69.200.131
> 207.114.4.35
>
> When Trinity connects, it sets its nickname to the first 6 characters
> of
> the host name of the affected machine, plus 3 random letters or
> numbers.
> For example, the computer named machine.example.com would connect and
> set
> its nickname to machinabc, where abc is 3 random letters or numbers.
> If
> there is a period in the first 6 characters of the host name, the
> period
> is replaced by an underscore. In our copy of Trinity, it joins the
> IRC
> channel #b3eblebr0x using a special key.  Once it's in the channel,
> the
> agent will wait for commands. Commands can be sent to individual
> Trinity
> agents, or sent to the channel and all agents will process the
> command.
>
> The flooding commands have this format: <flood> <password> <victim>
> <time>, where flood is the type of flood, password is the agent's
> password, victim is the victim's IP address, and time is the length
> of
> time to flood the agent, in seconds. The available flood types are
> the
> following:
>
> tudp: "udpflood"
> tfrag: "fragmentflood"
> tsyn: "synflood"
> trst: "rstflood"
> trnd: "randomflagsflood"
> tack: "ackflood"
> testab: "establishflood"
> tnull: "nullflood"
>
> Other available commands include:
>
> ping: Ping each client. The client will respond with "(trinity)
> someone
> needs a miracle..."
> size : Set the packet size for the flood, 0 for random.
> port : Set which port to hit, 0 for random.
> ver?: Get the agent's version. The agent X-Force is analyzing replies
> with
> " trinity v3 by self (an idle mind is the devil's playground)"
>
> Another binary found on affected systems is /var/spool/uucp/uucico.
> This
> binary is not to be confused with the real "uucico", which resides in
> /usr/sbin, or other default locations such as /usr/lib/uucp.  This is
> a
> simple backdoor program that listens on TCP port 33270 for
> connections.
> When a connection is established, the attacker sends a password to
> get a
> root shell. The password in the binaries that we have analyzed is
> "!@#".
> When the uucico binary is executed it changes its name to "fsflush".
>
> Recommendations:
>
> Scan all systems for port 33270 connections. If any connections are
> found,
> telnet to that port and type "!@#". A system has been compromised if
> there
> is a root shell present after a successful connection to port 33270.
>
> Use "ps" and "lsof" in the following manner to identify a port-shell
> installed by Trinity:
>
> # /usr/sbin/lsof -i TCP:33270
> COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
> uucico  6862 root    3u  IPv4  11199       TCP *:33270 (LISTEN)
>
> # /usr/sbin/lsof -c uucico
> COMMAND  PID USER   FD   TYPE DEVICE    SIZE   NODE NAME
> uucico  6862 root  cwd    DIR    8,1    4096 306099 /home/jlarimer
> uucico  6862 root  rtd    DIR    8,1    4096      2 /
> uucico  6862 root  txt    REG    8,1    4312 306589
> /home/jlarimer/uucico
> uucico  6862 root  mem    REG    8,1  344890 416837 /lib/ld-2.1.2.so
> uucico  6862 root  mem    REG    8,1 4118299 416844
> /lib/libc-2.1.2.so
> uucico  6862 root    0u   CHR  136,2              4 /dev/pts/2
> uucico  6862 root    1u   CHR  136,2              4 /dev/pts/2
> uucico  6862 root    2u   CHR  136,2              4 /dev/pts/2
> uucico  6862 root    3u  IPv4  11199            TCP *:33270 (LISTEN)
>
> # ps 6862
>   PID TTY      STAT   TIME COMMAND
>  6862 pts/2    S      0:00 fsflush
>
>
> Since the Trinity v3 agent does not listen on any ports, it may be
> difficult to detect unless you are watching for suspicious IRC
> traffic. If
> a machine that has a Trinity agent installed is found, it may have
> been
> completely compromised. The operating system must be completely
> reinstalled along with any available security patches.
>
> Public chat systems can pose a legitimate security risk.  It is up to
> each
> user's discretion to protect from malicious content distributed via
> these
> networks.
>
> ISS RealSecure already contains functionality that may aid in
> detection of
> Trinity.  Enable the IRC_Nick, IRC_Msg, and IRC_Join decodes via the
> RealSecure console to help track IRC activity.  These decodes can
> detect
> joins to the IRC channel #b3eblebr0x, as well as behavior associated
> with
> Trinity.  In addition, security administrators may choose to enable a
> connection event for TCP port 33270 to detect connections to the
> portshell
> that Trinity is installed on.
>
> ISS Internet Scanner can be configured to scan machines on your
> network with the TCP Port Scanner turned on. The TCP Port Scanner can
> be
> enabled by selecting it under the Services category in the Policy
> Editor.
> The TCP Port Scanner should be configured to scan port 33270. If
> machines
> are found to be listening on this port, they may have the Trinity
> portshell installed.
>
> The ISS X-Force will provide additional functionality to detect these
> vulnerabilities in upcoming X-Press Updates for Internet Scanner,
> RealSecure, and System Scanner.
>
> Additional Information:
>
> This information has been researched by  Jon Larimer of
> the Internet Security Systems X-Force.
> ______
>
> About Internet Security Systems (ISS)
> Internet Security Systems (ISS) is a leading global provider of
> security
> management solutions for the Internet. By providing industry-leading
> SAFEsuite security software, remote managed security services, and
> strategic consulting and education offerings, ISS is a trusted
> security
> provider to its customers, protecting digital assets and ensuring
> safe
> and uninterrupted e-business. ISS' security management solutions
> protect
> more than 5,500 customers worldwide including 21 of the 25 largest
> U.S.
> commercial banks, 10 of the largest telecommunications companies and
> over 35 government agencies. Founded in 1994, ISS is headquartered in
> Atlanta, GA, with additional offices throughout North America and
> international operations in Asia, Australia, Europe, Latin America
> and
> the Middle East. For more information, visit the Internet Security
> Systems web site at www.iss.net or call 888-901-7477.
>
> Copyright (c) 2000 by Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this Alert
> electronically. It is not to be edited in any way without express
> consent of the X-Force. If you wish to reprint the whole or any part
> of
> this Alert in any other medium excluding electronic medium, please
> e-mail xforce () iss net for permission.
>
> Disclaimer
>
> The information within this paper may change without notice. Use of
> this
> information constitutes acceptance for use in an AS IS condition.
> There
> are NO warranties with regard to this information. In no event shall
> the
> author be liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information. Any use of
> this
> information is at the user's own risk.
>
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
> well
> as on MIT's PGP key server and PGP.com's key server.
>
> Please send suggestions, updates, and comments to: X-Force
> xforce () iss net of Internet Security Systems, Inc.
>
> - --
> Regards,
>
> Gregory K Hunter
> BG Networking
> RLU# 187099
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBObaQbTqxit4AvJ4FEQIZvwCeISkJPClA/DlKx2/6ObiZptKcdpwAoN+3
> ezDgD2D6HYk9JaPYsC4ByUvq
> =ZW8O
> -----END PGP SIGNATURE-----
>
> -
> [To unsubscribe, send mail to majordomo () lists gnac net with
> "unsubscribe firewalls" in the body of the message.]
>
> --- end forwarded text