[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: New Variants of Trinity and Stacheldraht Distributed Denial of
From: Aleph One <aleph1 () UNDERGROUND ! ORG>
Date: 2000-09-26 16:18:45
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Alert
September 25, 2000
New Variants of Trinity and Stacheldraht Distributed Denial of Service Tools
Synopsis:
New versions of Stacheldraht and Trinity distributed denial of service (DDoS)
attack tools have been found in the wild. The new versions of Stacheldraht
include "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 1.666+smurf+yps". A
variant of the Trinity tool called "entitee" has also been reported.
Impact:
Distributed Denial of Service attacks can bring down a network by flooding
target machines with large amounts of traffic. In February of this year,
several of the Internet's largest Web sites, including Yahoo, Amazon.com, eBay,
and Buy.com were disrupted for extended periods of time by DDoS tools. These
new tools were detected in corporate networks, as well as in personal computers
with high speed network connections. The prevalence of high speed DSL and
cable modem service magnifies these tools' potential effectiveness.
Description:
For an overview of the original Stacheldraht program, refer to the X-Force
Alert, "Denial of Service Attack using the TFN2K and Stacheldraht programs",
at:
http://xforce.iss.net/alerts/advise43.php.
For more information, Dave Dittrich wrote a detailed analysis, which can be
found at:
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt.
In the newer version of the Stacheldraht program, there are several new
commands. The following is complete list of commands in this new version:
.mtimer .mudp .micmp .msyn .mack .mnul
.mstream .mhavoc .mrandom .mip .mfdns .msort
.showalive .madd .mlist .msadd .msrem .help
.setusize .setisize .mdie .sprange .mstop .killall
.showdead .forceit .left .enter
The following commands have been added since the first versions of
Stacheldraht:
.mack Sends a TCP ACK flood.
.mnul Send a NULL flood, which is like a TCP SYN flood, but with TCP flags
set to 0.
.mstream Send a stream attack flood.
(see http://xforce.iss.net/alerts/advise48.php)
.mhavoc Send a "HAVOC" flood. This sends mixed ICMP, UDP, SYN, TCP random
flags and IP headers simultaneously.
.mrandom Sends a flood of packets with random TCP headers.
.mip Sends a flood of regular IP headers.
.mfdns Sets the source port for floods to port 53.
.msadd Add a master server to the list of master servers.
.forceit This will cause a .mstop command to stop all agents from flooding, even
if they are not flooding.
.left Tells you how much time is left before an agent stops flooding.
IRC flooding commands:
.enter Enter the IRC flooding interface.
.part Part a channel.
.join Join a channel.
.msg Send a message flood.
In this version, the user is prompted for a password when building the
binaries. There is no default password; however, there are some default
values used. When running, the agent "td" uses the process name "(kswapd)".
When it spawns child processes, they are named "httpd". The master server
"mserv" uses the process name "(httpd)". When the master server is
communicating with the agent, ICMP packets are used. Each command is identified
by the ICMP ID header field. In the version obtained by the X-Force, the values
are as follows:
For the network flooding commands and replies:
699 Add an IP address to the list of addresses to be flooded
6666 Send IP header flood
7778 Send Stream attack
9000 Add new master server to the Stacheldraht network
9000 Spoof test reply
9001 Remove master server
9002 Distribute new versions of the agent
9003 Shutdown agent
9004 Set the amount of time to flood
9005 Set the ICMP packet size for ICMP-based floods
9006 Set the UDP packet size for UDP-based floods
9007 Set the port range for SYN floods
9012 Start a UDP flood
9013 Start a SYN flood
9014 Set the port for SYN floods
9015 Stop flooding
9016 Change spoofing mode
9017 Replies from the client
9028 Send Smurf attack
9055 Send ICMP flood
9113 Start an ACK flood
9213 Start a NULL flood
9668 Spoof test
9934 Send Havoc flood
9935 Send random TCP header flood
9936 Send DNS packet flood
For the IRC flooding commands:
1 Join IRC
4 Part Channel
5 Join Channel
6 Message Flood
For an overview of the Trinity DDoS tool, refer to the X-Force Alert,
"Trinity v3 Distributed Denial of Service tool", at:
http://xforce.iss.net/alerts/advise59.php.
At least 8 different versions of Trinity have been found on the Undernet
Internet Relay Chat (IRC) network by the Undernet operators, each using
different a IRC channel. On September 17, 2000, "Rod R00T" reported a new
variant of Trinity, called "entitee", to the INCIDENTS mailing list at
SecurityFocus.com. It is functionally equivalent to Trinity v3, but it uses
different channels, keys, and password. Trinity v3 responds to commands in the
channel with a line beginning with "(trinity)", while entitee responds with
lines beginning with "(entitee)".
Recommendations:
The Stacheldraht and Trinity signatures in the ISS RealSecure intrustion
detection software are being updated to detect these new tools. To find a
Stacheldraht agent on your computer, use the lsof command:
[root@unix /root]# lsof | grep raw
td 1217 root 3u raw 2083 00000000:0001->00000000:0000
st=07
[root@unix /root]# lsof -p 1217
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
td 1217 root cwd DIR 8,1 4096 497157 /root/stach+antigl/client
td 1217 root rtd DIR 8,1 4096 2 /
td 1217 root txt REG 8,1 99396 497190 /root/stach+antigl/client/td
td 1217 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so
td 1217 root mem REG 8,1 4118299 416844 /lib/libc-2.1.2.so
td 1217 root 0u raw 2218 00000000:0001->00000000:0000
st=07
td 1217 root 1u CHR 136,1 3 /dev/pts/1
td 1217 root 2u CHR 136,1 3 /dev/pts/1
td 1217 root 3u raw 2083 00000000:0001->00000000:0000
st=07
To locate a Stacheldraht master server on your computer:
[root@unix stach+antigl]# lsof -i TCP:60001
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mserv 1346 root 3u IPv4 2332 TCP *:60001 (LISTEN)
[root@unix stach+antigl]# lsof -p 1346
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mserv 1346 root cwd DIR 8,1 4096 497149 /root/stach+antigl
mserv 1346 root rtd DIR 8,1 4096 2 /
mserv 1346 root txt REG 8,1 1356288 497188 /root/stach+antigl/mserv
mserv 1346 root 0u CHR 136,0 2 /dev/pts/0
mserv 1346 root 1u CHR 136,0 2 /dev/pts/0
mserv 1346 root 2u CHR 136,0 2 /dev/pts/0
mserv 1346 root 3u IPv4 2332 TCP *:60001 (LISTEN)
For information on locating Trinity or Entitee on your machine, please see the
X-Force Alert, "Trinity v3 Distributed Denial of Service tool", at:
http://xforce.iss.net/alerts/advise59.php.
The ISS X-Force will provide additional functionality to detect these
vulnerabilities in upcoming X-Press Updates for Internet Scanner, RealSecure,
and System Scanner.
Additional Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading SAFEsuite
security software, remote managed security services, and strategic consulting
and education offerings, ISS is a trusted security provider to its customers,
protecting digital assets and ensuring safe and uninterrupted e-business. ISS'
security management solutions protect more than 5,500 customers worldwide
including 21 of the 25 largest U.S. commercial banks, 10 of the largest
telecommunications companies and over 35 government agencies. Founded in 1994,
ISS is headquartered in Atlanta, GA, with additional offices throughout North
America and international operations in Asia, Australia, Europe, Latin America
and the Middle East. For more information, visit the Internet Security Systems
web site at www.iss.net or call 888-901-7477.
Copyright (c) 2000 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in any
other medium excluding electronic medium, please e-mail xforce@iss.net for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no event shall the author be
liable for any damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at the user's own
risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on
MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to X-Force, xforce@iss.net of
Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOc/mgzRfJiV99eG9AQF33wQArffQtWP7L3peeayo7WwL6Dqrj7lW48VA
zNCcUixWIKoBIoh5hty0JGFBUWUL/Cb0Yw3jrYWohwCHenMUvQlHJICrADTSE+Hu
6651ykqbMGS9Og7EL8/FswK0d4nE7HqcvV+AZH37cTXPKiST+feKcbz5S6fJ6W9p
hFUVkMCNcY8=
=Fbeu
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic