Trin00 Master daemon denial of service tool

trin00-master (3570)

High Risk

Description:

Trin00 (or Trinoo) is a distributed denial of service tool used to flood hosts with UDP packets. Trin00 Master servers allow attackers to control multiple 'slave' hosts for Denial of Service attacks. The Trin00 master is a service that controls the Trin00 'broadcasts,' the part of Trin00 that performs the floods.

Platforms Affected:

• Compaq, Tru64
• Data General, DG/UX
• HP, HP-UX 10.20
• HP, HP-UX 11
• HP, HP-UX
• IBM, AIX 4
• IBM, AIX
• Linux, Kernel
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• SCO, SCO Unix
• SGI, IRIX
• Sun, Solaris 2.6
• Sun, Solaris 7.0
• Sun, Solaris 8
• Sun, Solaris
• WindRiver, BSDOS

Remedy:

Remove the Trin00 master binary and take measures to prevent it from spreading.

Finding the Trin00 master program might be difficult, because the name of the binary varies. The most common names are listed in the following procedure.

To locate and remove the binary program:

1. Search for one or more of the following binaries running in a process (by using the ps command).
• ns
• ttp
• rpc.trinoo
• rpc.listen
• trinix
• rpc.irix
• irix
2. Did you find a process running under one of the listed binaries?
• Yes. Find the associated binary on the system.
• No. Try using lsof to find the right binary, or search through all the processes running on your system to identify which one could be the Trin00 master.
3. Test the suspect binary to make sure it is the Trin00 master program (see procedure below).
4. Delete the binary from the system.

To test the suspected binary program:

1. Run strings on the binary:
   strings [binary name]
2. The output should be similar to the following:
   ---v
   v1.07d2+f3+c
   trinoo %s
   l44adsl
   sock
   0nm1VNMXqRMyM
   15:08:41
   Aug 16 1999
   trinoo %s [%s:%s]
   bind
   read
   *HELLO*
   [rest omitted]

Take the following measures to prevent Trin00 from spreading:

• Decrypt the daemon list to find out the IP addresses of all the daemons that have registered with this master. Remove the daemon programs. If the IP addresses are outside your organization, notify the organizations of the vulnerability.
• Disable directed broadcasts on your network to prevent it from amplifying denial of service attacks.
• Inform your ISP of the attack, so that they can take action to further prevent the attack from spreading.

Consequences:

Denial of Service

References:

• CERT Incident Note IN-1999-07, Distributed Denial of Service Tools at http://www.cert.org/incident_notes/IN-99-07.html.
• Cisco Systems White Paper, February 17, 2000, Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks at http://www.cisco.com/warp/public/707/newsflash.html.
• David Dittrich at University of Washington, The DoS Project's "trinoo" distributed denial of service attack tool at http://staff.washington.edu/dittrich/misc/trinoo.analysis.
• Internet Security Systems Security Alert #40, Denial of Service Attack using the trin00 and Tribe Flood Network programs at http://www.iss.net/xforce/alerts/id/advise40.
• CVE-2000-0138: A system has a distributed denial of service (DDOS) attack master, agent, or zombie installed, such as (1) Trinoo, (2) Tribe Flood Network (TFN), (3) Tribe Flood Network 2000 (TFN2K), (4) stacheldraht, (5) mstream, or (6) shaft.

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page