CERT Incident Note - Windows Trinoo tool.
25e2126138bb2e55f48b34087e2f8ea0f59f9b3c7211778a0c2d68d6de4c24f4
<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<HEAD>
<TITLE>CERT Incident Note IN-2000-01</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" VLINK="#C7AA05" LINK="#004A6B" ALINK="#DDB30B">
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="50%">
<A HREF="http://www.sei.cmu.edu/"> <IMG SRC="http://www.cert.org/images/cmu_sei.gif" WIDTH="239" HEIGHT="37" ALT="The CERT/CC is
part of the Software Engineering Institute at Carnegie Mellon University" BORDER="0"> </A></TD>
<TD WIDTH="50%" VALIGN="middle" ALIGN="right">
<IMG SRC="http://www.cert.org/images/improvingsecurity.gif" WIDTH="123" ALT="Improving Security" HEIGHT="19" ALIGN="bottom"> </TD>
</TR>
</TABLE>
</DIV>
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="0" BORDER="0" CELLPADDING="0">
<TR>
<TD WIDTH="54">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="54" ALT="" HEIGHT="1"></TD>
<TD WIDTH="18%">
<A HREF="http://www.cert.org/nav/index.html"><IMG SRC="http://www.cert.org/images/certcc_head.gif" WIDTH="189" ALT="CERT® Coordination Center" HEIGHT="18" BORDER="0"></A></TD>
<TD WIDTH="85%" BGCOLOR="#DCDCDC">
<P ALIGN="left"><SMALL><SMALL><FONT FACE="Helvetica, Geneva, Arial">
<A HREF="http://www.cert.org/index.html">Home</A> |
<A HREF="http://www.cert.org/nav/whatsnew.html">What's New</A> |
<A HREF="http://www.cert.org/faq/cert_faq.html">FAQ</A> |
<A HREF="http://www.cert.org/contents/contents.html">Site Contents</A> |
<A HREF="http://www.cert.org/contact_cert/contactinfo.html">Contact Us</A> |
<B><A HREF="http://search.cert.org:8765/">SEARCH</A></B>
</FONT></SMALL></SMALL></TD>
</TR>
</TABLE>
</DIV>
<DIV ALIGN="left">
<TABLE WIDTH="100%" CELLSPACING="1" BORDER="0" CELLPADDING="5">
<TR>
<TD WIDTH="47">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1"></TD>
<TD WIDTH="100%" ALIGN="left"><P ALIGN="left">
<FONT SIZE="1" COLOR="#004A6B" FACE="Helvetica, Geneva, Arial">
<A HREF="http://www.cert.org/nav/aboutcert.html">About Us</A> |
<A HREF="http://www.cert.org/nav/alerts.html">Alerts</A> |
<A HREF="http://www.cert.org/nav/training.html">Education and Training</A> |
<A HREF="http://www.cert.org/nav/events.html">Events</A> |
<A HREF="http://www.cert.org/ftp/">FTP Archives</A> |
<A HREF="http://www.cert.org/nav/securityimprovement.html">Improving Security</A> |
<A HREF="http://www.cert.org/nav/other_sources.html">Other Resources</A> |
<A HREF="http://www.cert.org/nav/reports.html">Reports</A> |
<A HREF="http://www.cert.org/research/">Survivability Research</A></FONT></TD>
</TR>
<TR>
<TD WIDTH="47">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1"></TD>
<TD WIDTH="100%" HEIGHT="12"></TD>
</TR>
</TABLE>
</DIV>
<!-- This section leaves a table definition open. -->
<!-- Each document must close it somewhere else. -->
<DIV ALIGN="left">
<TABLE WIDTH="100%" BORDER="0">
<TR>
<TD WIDTH="47" VALIGN="top">
<IMG SRC="http://www.cert.org/images/invisible.gif" WIDTH="47" ALT="" HEIGHT="1">
</TD>
<!-- This section opens the table cell that contains the gray side bar. -->
<!-- This table cell is closed at the end of sidebar include. -->
<!-- A new table cell is also begun at the end of the sidebar -->
<!-- The table cell, row, and table must be ended in the main document -->
<TD VALIGN="top">
<DIV ALIGN="left">
<TABLE WIDTH="100" HEIGHT="225" ALIGN="left" CELLSPACING="0" BORDER="0" CELLPADDING="7">
<TR>
<TD BGCOLOR="#DCDCDC" VALIGN="top" HEIGHT="175">
<FONT FACE="Helvetica, Geneva, Arial" COLOR="#004A6B"><SMALL><SMALL>
<P><A HREF="http://www.cert.org/incident_notes/">Incident Notes</A>
<P><A HREF="http://www.cert.org/vul_notes/">Vulnerability Notes</A>
<P><A HREF="http://www.cert.org/security-improvement/">Security Improvement Modules</A>
<P><A HREF="http://www.cert.org/tech_tips/">Tech Tips</A>
<P><A HREF="http://www.cert.org/other_sources/tool_sources.html">Sources of Tools</A>
<P><A HREF="http://www.cert.org/nav/training.html">Training</A>
<P><A HREF="http://www.cert.org/nav/alerts.html">Alerts</A>
<P><A HREF="http://www.cert.org/y2k-info">Y2K</A>
</SMALL></SMALL></FONT>
</TD>
<TD WIDTH="3" VALIGN="top" ROWSPAN="2"></TD>
</TR>
<TR>
<TD VALIGN="top" HEIGHT="5"></TD>
</TR>
</TABLE>
</DIV>
<!-- starts new table cell for table begun in titlebar -->
</TD>
<TD WIDTH="100%" VALIGN="top">
<FONT FACE="Helvetica, Geneva, Arial">
<SMALL>
<H1>CERT<SUP>®</SUP> Incident Note IN-2000-01</H1>
<H2>Windows Based DDOS Agents</H2>
<B>Date:</B> Monday February 28, 2000<HR>
<B>Description:</B><P>
We have received reports indicating intruders are beginning to deploy
and utilize windows based denial of service agents to launch
distributed denial of service attacks.
On Feburary 16th we began receiving reports of a program called
"service.exe" that appears to be a Windows version of <A HREF="http://www.cert.org/incident_notes/IN-99-07.html#trinoo">trinoo</A>.
This program listens on UDP port 34555. More details about this tool
are available on Gary Flynn's web site at:
<DL><DD>
<A HREF="http://www.jmu.edu/info-security/engineering/issues/wintrino.htm">
http://www.jmu.edu/info-security/engineering/issues/wintrino.htm</A>
</DD></DL>
We have seen two almost identical versions of the "service.exe"
program to date (they vary by 12 bytes but produce the same results
for strings(1)). The binaries we have seen have one of the following
MD5 checksums:<P>
<DL>
<DD>MD5 (service.exe) = 03fe58987d7dc07e736c13b8bee2e616</DD>
<DD>MD5 (service.exe) = 1d45f8425ef969eba40091e330921757</DD>
</DL><P>
In at least one incident, machines runing the "service.exe" program
were also running <A HREF="http://www.cert.org/vul_notes/VN-98.07.backorifice.html">backoriface</A>.
We have also received reports of administrators finding other "remote
administration" intruder tools on machines that were running
"service.exe".<P>
Note that the tool <A HREF="http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html">TFN2K</A>,
first released in December 1999, will run on Windows NT. The
existance of distributed denial of service tools for Windows platforms
is not new; however, we are beginning to receive reports of these
tools being installed on compromised systems.
<P><B>Impact:</B><P>
Windows machines have been used as intermediaries in various types of
denial of service attacks for years; however, the development and
deployment of the technology to use Windows machines as agents in a
distributed denial of service attacks represents an overall increase
in the threat of denial of service attacks.
<P><B>Solution:</B><P>
Standard safe computing practices will prevent intruders from
installing the service.exe program on your machine(s).<P>
<UL>
<LI>Don't run programs of unknown origin, regardless of who sent you the
program. Likewise, don't send programs of unknown origin to your
friends or coworkers simply because they are amusing -- it might be a
Trojan horse.</LI>
<LI>Before opening any email attachments, be sure you know what the
source of the attachment was. It is not enough that the mail
originated from an address you recognize. The Melissa virus spread
precisely because it originated from a familiar address. Malicious
code might be distributed in amusing or enticing programs. If you must
open an attachment before you can verify the source, do so in an
isolated environment. If you are unsure how to proceed, contact your
local technical support organization.</LI>
<LI>Be sure your <A HREF="http://www.cert.org/other_sources/viruses.html#VI">
anti-virus software</A> is, and remains, up-to-date.</LI>
<LI>Some products, such as Microsoft Office, Lotus Notes and others,
include the ability to execute code embedded in documents. For any
such products you use, disable the automatic execution of code
embedded in documents. For example, in Microsoft Word 97, enable the
"Macro Virus Protection" feature by choosing Tools->Options->General
and selecting the appropriate checkbox. In Lotus Notes 4.6, set a
restrictive Execution Control List (ECL) by setting the options found
in File->Tools->User Preferences->Security Options to restrict the
execution of code to trusted signers. For other products, consult your
documentation.</LI>
<LI>Use data-integrity tools. <A HREF="http://www.cert.org/other_sources/viruses.html#V">Data-integrity
tools</A> use strong cryptography to help you determine which files,
if any, may have changed on a system. This may be crucial information
to determine the most appropriate response to a security event. The
use of these tools requires that they be installed before a security
event has taken place.</LI>
<LI>Avoid the use of MIME types that cause interpreters or shells to
be invoked.</LI>
<LI>Be aware of the risks involved in the use of "mobile code" such as
Active X, Java, and JavaScript. It is often the case that electronic
mail programs use the same code that web browsers use to render
HTML. Vulnerabilities that affect ActiveX, Java, and Javascript often
are applicable to electronic mail as well as web pages.</LI>
</UL><P>
<B>Author:</B> Jed Pickel<BR>
<HR WIDTH="100%" NOSHADE>
This document is available from:
<A HREF="http://www.cert.org/incident_notes/IN-2000-01.html">
http://www.cert.org/incident_notes/IN-2000-01.html</A>
<HR WIDTH="100%" NOSHADE>
<H2>CERT/CC Contact Information</H2>
<DL>
<B>Email:</B> <A HREF="mailto:cert@cert.org">cert@cert.org</A><BR>
<B>Phone:</B> +1 412-268-7090 (24-hour hotline)<BR>
<B>Fax:</B> +1 412-268-6989<BR>
<B>Postal address:</B><BR>
<DD>
CERT<SUP>®</SUP> Coordination Center<BR>
Software Engineering Institute<BR>
Carnegie Mellon University<BR>
Pittsburgh PA 15213-3890<BR>
U.S.A.<BR>
</DL>
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
<P>
<H4>Using encryption</H4>
<P>We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from<P>
<UL>
<A HREF="http://www.cert.org/CERT_PGP.key">http://www.cert.org/CERT_PGP.key</A>
</UL>
If you prefer to use DES, please call the CERT hotline for more
information.<P>
<H4>Getting security information</H4>
CERT publications and other security information are available from
our web site<P>
<UL>
<A HREF="http://www.cert.org/">http://www.cert.org/</A>
</UL>
To be added to our mailing list for advisories and bulletins, send email to
<A HREF="mailto:cert-advisory-request@cert.org">
cert-advisory-request@cert.org</A> and include <TT>SUBSCRIBE
your-email-address</TT> in the subject of your message.
<P>
Copyright 1999 Carnegie Mellon University.<BR>
Conditions for use, disclaimers, and sponsorship information can be found in<P>
<UL>
<A HREF="http://www.cert.org/legal_stuff.html">http://www.cert.org/legal_stuff.html</A>
</UL>
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
<HR WIDTH="100%" NOSHADE>
<B><U>NO WARRANTY</U></B><BR>
<B>Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.</B>
</TD>
</TR>
</TABLE>
</DIV>
</BODY>
</HTML>