Trin00, Trinoo, TFN, TFN2000, Stacheldraht


These programs are not viruses but DoS tools. DoS tools are programs that can be used to make denial of service attacks against any machine in the Internet - typically a web server.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support


Find the latest advice in our Community.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details



Denial of Service (DoS) Attacks are attacks on computer systems that aim to disrupt or terminate services provided by the systems. On the Internet, this usually means (repeatedly) crashing services or exhausting some limited resource. DoS attacks can often be performed over the network, and exploit security flaws that exist in the services.

Typical DoS attacks are: - Exhausting the network bandwith of a site. - Exhausting the [inbound] network connections of a service. - Crashing a service using some security flaw. - Crashing the computer running a service using some security flaw.

Recently heavy DoS attacks have been described [1,2]. These attacks use a network of computers to distribute the attack sources over several network locations. These attacks are known as Distributed Denial of Service Attacks.

The most known Distributed DoS attack tools to date are called "trin00"[3,4] and "Tribe Flood Network" (TFN)[4].

Master-Slave Configuration

The attack tools for Distributed DoS attacks use a master-slave configuration. The slave processes are installed on a large number of compromised Internet hosts, where they report their successfull installation to their master process. The master process thus collects a list of many compromised hosts running the slave process. The resulting master-slave network may include a large number of hosts in widely different network locations.

The slaves carry one or several DoS routines that can be invoked remotely by the master process. The master process can also control the targets and parameters for the attack. Some of the commands are password protected to prevent unauthorized activation or deactivation of the attacks.

Slave processes can be installed on virtually any suitable system, as the loss of a single slave process has very little effect on the overall performance of the network.

The master process can poll the status of its slave processes and keeps a list of known slaves. When the attacker connects to the master, a password is required before access is allowed. Once the correct password has been supplied, the attacker can issue commands to the master. The commands direct all the active slaves of the master process, so large-scale attacks can be launched and terminated very quickly.

Master processes are often carefully protected and installed on systems where detection is unlikely because of bad administration practices or heavy user activity.

An attacker can connect to a master process from virtually any internet host, as the master accepts standard telnet-type connections. A single attacker may control several DoS master processes, giving instant access to huge numbers of slave processes.


Attacked systems will notice a huge increase in network traffic. Depending on the attack, the traffic may come from valid internet addresses or from random addresses created by the slave processes.

If the attacked system is directly vulnerable to any DoS attacks performed by the slave processes, the system will crash or malfunction and cannot be reactivated without immediately crashing again.

If the attacked system does not crash from the attacks, its network capacity will quickly be exhausted. Reports indicate attack rates of several gigabits per second, which far exceed the capacity of most Internet sites.


If you are the target of a large distributed DoS attack, there are no good ways to defend yourself. Several well-known internet sites have been completely cut off by DoS attacks recently, including [5].

If your systems have been compromised and attackers are running masters or slaves on your systems, you must take immediate action to fix the security holes that were used to compromise your system [2]. Your systems may be actively participating in DoS attacks as long as the processes exist.

The only way to completely eliminate this kind of attacks is to decrease the number of systems that can be compromised to a level that is too low for attackers to set up large distributed DoS networks.

Acknowledgements and References

The information in this document is based on several sources, but most notably on information from the Incidents mailing list. This document is intended for informational purposes only.

[1] Incidents Mailing List [].
Send message

[2] "CERT Incident Note IN-99-07", The CERT Coordination Center, 1999.

[3] David Dittrich [], "The DoS Project's
"trinoo" distributed denial of service attack tool", University of
Washington, 1999.

[4] ISS X-Force, "Denial of Service Attack using the trin00 and Tribe
Flood Network programs", Internet Security Systems Inc., 1999.

[5] CNET, "How a basic attack crippled
Yahoo". [http://news. cnet. com/news /0-1005-200-1544455.html?tag=st]
February 2000.