Tribe and Trinoo: Latest and Most Powerful Viruses

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: "Noonan, Michael D" <mdn () intel com>

http://news.cnet.com/news/0-1003-200-1501144.html?tag=st.ne.1002.tgif?st.ne.fd.gif.f

Computer security teams brace for attacks
By Stephen Shankland
Staff Writer, CNET News.com
December 20, 1999, 1:30 p.m. PT

Computer security teams are bracing for holiday attacks by two programs
that enlist multiple systems to launch coordinated assaults on Web
servers.

Concern is mounting that the two malicious programs, called Tribe Flood
Network and Trinoo, will show their colors in coming weeks. Experts fear
that the holidays are a likely time, because computer administrators on
vacation will be harder to locate and likely won't be paying as much
attention to systems under their control.

In addition, some suggest attackers are likely to strike in the midst of
confusion that people expect with the arrival of the Year 2000 computer
problem.

Tribe and Trinoo also may be more powerful than previous programs of the
same kind. The duo, which started appearing in recent months, "are a step
above what has happened before," according to Dave Dittrich, a computer
security technician at the University of Washington who wrote analyses of
the programs.

When installed onto hundreds or thousands of computers, the programs
simultaneously bombard a select point on the Internet. If the information
from the attackers comes fast enough, the target computer freezes up.

 Flooding attacks such as Tribe and Trinoo are examples of so-called
denial-of-service attacks, a method that's been around as long as there
have been networks to inundate. And launching attacks from several
computers too has been tried before, for example with the "Smurf" attacks
of last year.

But Tribe and Trinoo give a new level of control to the attacker, and they
are being improved, Dittrich said.

Moreover, because the origin of the program is obscured, it's hard to
counteract, said Quinn Peyton of the Computer Emergency Response Team
(CERT)  at Carnegie Mellon University.

"There are machines now sitting there, prepared to attack somebody else,"
Peyton said. "Now one person can do a massive denial-of-service."

CERT warns that the Trinoo and Tribe attack tools "appear to be undergoing
active development, testing and deployment on the Internet."

Tribe Flood Network and Trinoo launch their attacks from a host of
innocent computers that already have been broken into. Then, on a signal
from a master computer, the computers simultaneously bombard the victim
machine with packets of information so fast that it becomes unresponsive.
At that point, the target computer won't respond to commands and can't be
taken off the network.

To monitor computer attacks and vulnerabilities, the FBI in 1998 set up an
office called the National Infrastructure Protection Center (NIPC).
Although FBI officials did not comment on the Tribe or Trinoo attacks, the
FBI is holding a news conference tomorrow about Y2K issues, a spokesman
said.

"There's a lot of paranoia for the Y2K stuff," said David Crawford of the
Energy Department's Computer Incident Advisory Capability.

CIAC is working hard to prepare a description of how to identify Trinoo
and Tribe in the next few days. "We're looking for a unique signature that
will identify these types of attack," he said.

Dittrich might know. He had to respond when 27 computers at his university
were among 227 that attacked the University of Minnesota during three days
in August.

"I was having a hard time finding all the people and getting all the
systems cleaned up," he said, and that was just for the a small fraction
of the systems involved.

"During that time, their network was pretty much unusable for 100,000
users," Dittrich said. "There isn't much of a defense against these
denial-of-service attacks."

University of Washington computers also were used for attacks on computers
in France, Norway and Australia, he said.

The attack software was installed primarily on computers using Sun
Microsystems' Solaris and Linux--both variations of the Unix operating
system. To break into those computers, the intruder took advantage of
known vulnerabilities that allowed him or her to take almost complete
control of a computer then erase his or her tracks, Dittrich said.

"The core message is that people who have systems on the Internet need to
know how to deal with them," Dittrich said. "You can't expect your
computer to be running for years, like a microwave. It's more like a
really expensive car, where you've got to be taking it in for maintenance
all the time."

In the attack on the University of Minnesota, 114 of the 227 attacking
systems were part of the Internet 2, a higher-speed successor to the
current Internet. Using Internet 2 was important, because its higher-speed
network can deliver more volleys in the denial-of-service attack.

"Whoever has the bigger pipe wins," Dittrich said.

ISN is sponsored by Security-Focus.COM