COMMAND

    Distributed Denial of Service tool

SYSTEMS AFFECTED

    Trinity v3

PROBLEM

    Following is based on a Internet Security Systems Security  Alert.
    A new Distributed Denial of  Service tool, "Trinity v3", has  been
    discovered in  the wild.   There have  been reports  of up  to 400
    hosts running the Trinity agent.  In one Internet Relay Chat (IRC)
    channel on the  Undernet network, there  are 50 compromised  hosts
    with Trinity running, with new  hosts appearing every day.   It is
    not known how many different versions of Trinity are in the wild.

    Distributed Denial of Service attacks can bring down a network  by
    flooding  target  machines  with  large  amounts  of  traffic.  In
    February of this year, several of the Internet's biggest websites,
    including Yahoo, Amazon.com, Ebay and Buy.com were taken down  for
    extended periods of time by tools similar to Trinity.

    Trinity  is  a  Distributed  Denial   of  Service  tool  that   is
    controlled  by  IRC.   In  the  version  that the X-Force has been
    analyzing, the  agent binary  is installed  on a  Linux system  at
    /usr/lib/idle.so.   When  idle.so  is  started,  it connects to an
    Undernet IRC server on  port 6667. There is  a list of servers  in
    the binary:

        204.127.145.17
        216.24.134.10
        208.51.158.10
        199.170.91.114
        207.173.16.33
        207.96.122.250
        205.252.46.98
        216.225.7.155
        205.188.149.3
        207.69.200.131
        207.114.4.35

    When  Trinity  connects,  it  sets  its  nickname  to  the first 6
    characters of the host name of the affected machine, plus 3 random
    letters   or   numbers.    For   example,   the   computer   named
    machine.example.com  would  connect  and   set  its  nickname   to
    machinabc, where abc is 3 random letters or numbers.  If there  is
    a period in the first 6 characters of the host name, the period is
    replaced by an underscore.  In  our copy of Trinity, it joins  the
    IRC channel  #b3eblebr0x using  a special  key.   Once it's in the
    channel, the agent will wait  for commands.  Commands can  be sent
    to  individual  Trinity  agents,  or  sent  to the channel and all
    agents will process the command.

    The flooding commands have this format: <flood> <password> <victim>
    <time>, where flood is the type of flood, password is the  agent's
    password,  victim  is  the  victim's  IP  address, and time is the
    length of  time to  flood the  agent, in  seconds.   The available
    flood types are the following:

        tudp: "udpflood"
        tfrag: "fragmentflood"
        tsyn: "synflood"
        trst: "rstflood"
        trnd: "randomflagsflood"
        tack: "ackflood"
        testab: "establishflood"
        tnull: "nullflood"

    Other available commands include:

        ping: Ping  each  client.   The  client  will  respond    with
              "(trinity) someone needs a miracle..."
        size <size>: Set the packet size for the flood, 0 for random.
        port <port>: Set which port to hit, 0 for random.
        ver?: Get the agent's version.  The agent X-Force is analyzing
              replies with "<trinity> trinity v3 by self (an idle mind
              is the devil's playground)"

    Another     binary     found     on     affected     systems    is
    /var/spool/uucp/uucico.  This  binary is not  to be confused  with
    the real "uucico",  which resides in  /usr/sbin, or other  default
    locations  such  as  /usr/lib/uucp.   This  is  a  simple backdoor
    program that listens  on TCP port  33270 for connections.   When a
    connection is established, the attacker sends a password to get  a
    root shell.   The password in  the binaries that  we have analyzed
    is "!@#".  When the uucico binary is executed it changes its  name
    to "fsflush".

    According to ISS update, at least 8 different versions of  Trinity
    have been found on the Undernet Internet Relay Chat (IRC)  network
    by the  Undernet operators,  each using  different a  IRC channel.
    On  September  17,  2000,  "Rod  R00T"  reported  a new variant of
    Trinity,  called  "entitee",  to  the  INCIDENTS  mailing  list at
    SecurityFocus.com.  It is  functionally equivalent to Trinity  v3,
    but it uses  different channels, keys,  and password.   Trinity v3
    responds to  commands in  the channel  with a  line beginning with
    "(trinity)",  while  entitee  responds  with  lines beginning with
    "(entitee)".

SOLUTION

    Scan all systems for port  33270 connections.  If any  connections
    are found, telnet to that port and type "!@#".  A system has  been
    compromised if there  is a root  shell present after  a successful
    connection to port 33270.

    Use  "ps"  and  "lsof"  in  the  following  manner  to  identify a
    port-shell installed by Trinity:

        # /usr/sbin/lsof -i TCP:33270
        COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
        uucico  6862 root    3u  IPv4  11199       TCP *:33270 (LISTEN)

        # /usr/sbin/lsof -c uucico
        COMMAND  PID USER   FD   TYPE DEVICE    SIZE   NODE NAME
        uucico  6862 root  cwd    DIR    8,1    4096 306099 /home/jlarimer
        uucico  6862 root  rtd    DIR    8,1    4096      2 /
        uucico  6862 root  txt    REG    8,1    4312 306589 /home/jlarimer/uucico
        uucico  6862 root  mem    REG    8,1  344890 416837 /lib/ld-2.1.2.so
        uucico  6862 root  mem    REG    8,1 4118299 416844 /lib/libc-2.1.2.so
        uucico  6862 root    0u   CHR  136,2              4 /dev/pts/2
        uucico  6862 root    1u   CHR  136,2              4 /dev/pts/2
        uucico  6862 root    2u   CHR  136,2              4 /dev/pts/2
        uucico  6862 root    3u  IPv4  11199            TCP *:33270 (LISTEN)

        # ps 6862
          PID TTY      STAT   TIME COMMAND
         6862 pts/2    S      0:00 fsflush

    Since the Trinity v3 agent does not listen on any ports, it may be
    difficult to  detect unless  you are  watching for  suspicious IRC
    traffic.   If  a  machine  that  has  a Trinity agent installed is
    found, it  may have  been completely  compromised.   The operating
    system must  be completely  reinstalled along  with any  available
    security patches.

    Public chat systems  can pose a  legitimate security risk.   It is
    up to  each user's  discretion to  protect from  malicious content
    distributed via these networks.

    ISS  RealSecure  already  contains  functionality  that may aid in
    detection of Trinity.  Enable the IRC_Nick, IRC_Msg, and  IRC_Join
    decodes via  the RealSecure  console to  help track  IRC activity.
    These decodes can detect joins to the IRC channel #b3eblebr0x,  as
    well as behavior associated  with Trinity.  In  addition, security
    administrators may  choose to  enable a  connection event  for TCP
    port 33270 to detect connections to the portshell that Trinity  is
    installed on.

    ISS Internet Scanner  can be configured  to scan machines  on your
    network with the TCP Port Scanner turned on.  The TCP Port Scanner
    can be enabled by selecting it under the Services category in  the
    Policy Editor.  The TCP Port Scanner should be configured to  scan
    port 33270.  If machines are  found to be listening on this  port,
    they may have the Trinity portshell installed.

    The ISS  X-Force will  provide additional  functionality to detect
    these  vulnerabilities  in  upcoming  X-Press Updates for Internet
    Scanner, RealSecure, and System Scanner.