-----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Update February 28, 2000 trin00 for Windows Distributed Denial of Service Attack Tool Synopsis: A new version of trin00 that runs on Microsoft Windows machines has been discovered. Trin00 was first discussed in the ISS Security Alert "Denial of Service Attack Using the trin00 and Tribe Flood Network Programs" on December 7, 1999, and available at http://xforce.iss.net/alerts/advise40.php3. The executable that has been found is a trin00 daemon. It is unclear if there is a Windows version of the trin00 master or if the Windows daemons are controlled by a Unix master. Description: The Windows version of trin00 is similar to the Unix version. The daemon for Windows trin00 listens on port 34555, while the Unix version listens by default on port 27444. Unlike the Unix version of the trin00 daemon, the Windows daemon does not try to contact the master server to register. The ISS X-Force believes that this is to prevent someone who finds the daemon on a Windows machine from finding the IP address of the master by looking in the binary executable. In the Unix version of trin00, it is possible to retrieve the IP address of the master by examining the binary executable. The password used for the UDP communications between master and daemon is also different. In the Unix version, it is "l44adsl" by default. In the Windows version, the default password is "[]..Ks". It appears that Backdoors such as BackOrifice and SubSeven are being used in conjunction with the deployment of trin00 for Windows. ISS strongly recommends scanning your network for the presence of Windows Backdoors. ISS SAFEsuite has signatures to detect most known Windows Backdoors. For more information on Windows Backdoors, refer to X-Force advisories on http://xforce.iss.net. Recommendations: The ISS X-Force is updating the ISS SAFEsuite security assessment and intrusion detection software, Internet Scanner and RealSecure, to detect trin00 on these new ports.. If you find trin00 on a Windows machine, open the registry, locate the key HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and find the value named "System Services". The data will be "service.exe". Delete this registry entry and then end the service.exe process on your machine. To do this on Windows 95 and Windows 98, press CTRL+ALT+DEL to display the Task List, and end the service.exe process. In Windows NT, start Task Manager and end the service.exe process. Service.exe should be removed from affected systems. By default, this file is located in the Windows system directory. ISS Internet Scanner can be configured to scan Windows machines on your network with the UDP Port Scanner turned on. The UDP Port Scanner is enabled by selecting it under the Services category in the Policy Editor. The UDP Port Scanner should be configured to scan port 34555. If machines are found to be listening on this port, they may have Windows trin00 installed. It is also recommended to scan your network for Backdoors. It is possible that Backdoors are being used to install Windows trin00. ISS RealSecure can be configured to look for UDP communications between the trin00 master and agent by looking for UDP traffic over port 34555. Traffic on this port may also indicate that trin00 is installed on a machine. To prevent connections from Master machines to compromised hosts, block UDP traffic on port 34555 on firewalls and routers. Additional Information: ISS worked in coordination with Trend Micro and James Madison University to obtain and review information regarding Windows trin00. _____ About Internet Security Systems (ISS) ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Internet Security Systems, SAFEsuite, RealSecure, Internet Scanner, System Scanner, Database Scanner and ePatrol are trademarks of Internet Security Systems, Inc. All other companies and products mentioned are trademarks and property of their respective owners. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOLrlLzRfJiV99eG9AQHQTwP9Go22yKdIjjSyaY2gcpjJvki32uEG4Nkt l90CgIJ8qowr3WaszRmai2SKf4nIZ5k0mmbWs7UwJKCi79rGVIRpUTCBvSdAP6gZ +ZNusPgx6JC93LPl+YzFiQsXO3jNUp83VCVKFlGmAbmxw1RaDm4SOwrbVjtMrT9K 3BChOls6nPY= =sY8S -----END PGP SIGNATURE-----