Threat Description

Trin00

Details

Aliases: Trin00, Trinoo, TFN, TFN2000, Stacheldraht
Category: Malware
Type:
Platform: W32

Summary



These programs are not viruses but DoS tools. DoS tools are programs that can be used to make denial of service attacks against any machine in the Internet - typically a web server.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



BACKGROUND INFORMATION ON DENIAL OF SERVICE ATTACKS By Camillo Sars, F-Secure Crypto Research e-mail: Camillo.Sars@F-Secure.com

Introduction

Denial of Service (DoS) Attacks are attacks on computer systems that aim to disrupt or terminate services provided by the systems. On the Internet, this usually means (repeatedly) crashing services or exhausting some limited resource. DoS attacks can often be performed over the network, and exploit security flaws that exist in the services.

Typical DoS attacks are: - Exhausting the network bandwith of a site. - Exhausting the [inbound] network connections of a service. - Crashing a service using some security flaw. - Crashing the computer running a service using some security flaw.

Recently heavy DoS attacks have been described [1,2]. These attacks use a network of computers to distribute the attack sources over several network locations. These attacks are known as Distributed Denial of Service Attacks.

The most known Distributed DoS attack tools to date are called "trin00"[3,4] and "Tribe Flood Network" (TFN)[4].

Master-Slave Configuration

The attack tools for Distributed DoS attacks use a master-slave configuration. The slave processes are installed on a large number of compromised Internet hosts, where they report their successfull installation to their master process. The master process thus collects a list of many compromised hosts running the slave process. The resulting master-slave network may include a large number of hosts in widely different network locations.

The slaves carry one or several DoS routines that can be invoked remotely by the master process. The master process can also control the targets and parameters for the attack. Some of the commands are password protected to prevent unauthorized activation or deactivation of the attacks.

Slave processes can be installed on virtually any suitable system, as the loss of a single slave process has very little effect on the overall performance of the network.

The master process can poll the status of its slave processes and keeps a list of known slaves. When the attacker connects to the master, a password is required before access is allowed. Once the correct password has been supplied, the attacker can issue commands to the master. The commands direct all the active slaves of the master process, so large-scale attacks can be launched and terminated very quickly.

Master processes are often carefully protected and installed on systems where detection is unlikely because of bad administration practices or heavy user activity.

An attacker can connect to a master process from virtually any internet host, as the master accepts standard telnet-type connections. A single attacker may control several DoS master processes, giving instant access to huge numbers of slave processes.

Impact

Attacked systems will notice a huge increase in network traffic. Depending on the attack, the traffic may come from valid internet addresses or from random addresses created by the slave processes.

If the attacked system is directly vulnerable to any DoS attacks performed by the slave processes, the system will crash or malfunction and cannot be reactivated without immediately crashing again.

If the attacked system does not crash from the attacks, its network capacity will quickly be exhausted. Reports indicate attack rates of several gigabits per second, which far exceed the capacity of most Internet sites.

Defense

If you are the target of a large distributed DoS attack, there are no good ways to defend yourself. Several well-known internet sites have been completely cut off by DoS attacks recently, including Yahoo.com [5].

If your systems have been compromised and attackers are running masters or slaves on your systems, you must take immediate action to fix the security holes that were used to compromise your system [2]. Your systems may be actively participating in DoS attacks as long as the processes exist.

The only way to completely eliminate this kind of attacks is to decrease the number of systems that can be compromised to a level that is too low for attackers to set up large distributed DoS networks.

Acknowledgements and References

The information in this document is based on several sources, but most notably on information from the Incidents mailing list. This document is intended for informational purposes only.

[1] Incidents Mailing List <INCIDENTS@SecurityFocus.com>.  Send message
     containing "QUERY INCIDENTS" to <LISTSERV@LISTS.SECURITYFOCUS.COM>.
 [2] "CERT Incident Note IN-99-07", The CERT Coordination Center, 1999.
 [3] David Dittrich <dittrich@cac.washington.edu>, "The DoS Project's
     "trinoo" distributed denial of service attack tool", University of
     Washington, 1999.
 [4] ISS X-Force, "Denial of Service Attack using the trin00 and Tribe
     Flood Network programs", Internet Security Systems Inc., 1999.
 [5] CNET News.com, "How a basic attack crippled
     Yahoo". <http://news.cnet.com/news/0-1005-200-1544455.html?tag=st>
     February 2000.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More