FWD: ZDNet: News: DDoS attack targets chat, Linux boxes

Gene Collins collins at gene3.cc.iastate.edu
Fri Sep 8 11:04:30 EDT 2000 

------- Forwarded MessageThis message was forwarded to you from ZDNet (http://www.zdnet.com) by jbalvanz at iastate.edu.

Comment from sender:
Thought you might want to know about this...

 A new distributed denial-of-service tool has been discovered in the wild
   and is spreading, according to Internet Security Systems Inc.'s
   X-Force service.

   Reports of up to 400 hosts running the "Trinity v3" agent have been
   reported, including 50 compromised IRC (Internet Relay Chat) hosts,
   said Chris Rouland, director of X-Force. Rouland said no high-profile
   commerce sites have been reported down yet, but "one or two"
   universities have been affected. He would not disclose the identities
   of the schools.

   [TABLE NOT SHOWN]

   "Using chat for attacks is a trend; chat in general is Internet-risky
   behavior," Rouland said. "It's fairly anonymous for an attacker to go
   onto a chat system and launch attacks, and anyone who can access this
   new chat room that Trinity v3 creates can launch further attacks."

   Trinity v3 so far has been seen on Linux machines. The binary code is
   installed on a Linux server at /usr/lib/idle.so. When idle.so is
   launched, it connects to one of 11 Undernet IRC servers and sets a
   nickname for itself (which combines the first six letters of the host
   with three random digits).

   [TABLE NOT SHOWN] The code then joins the chat room #b3eblebr0x. Once
   there, the code waits for commands to attack either individual Trinity
   agents or to attack all agents on the channel.

   Trinity v3, Rouland said, is capable of setting eight types of flood
   attacks that can be sent for any length of time. The code also puts
   another binary on affected systems at var/spool/uucp/uucico, which
   looks similar to a real file at usr/lib/uucico but is different. The
   rogue code simply listens to port 33270 for connections and then
   attempts to get root shell access when someone logs on.

   More information on the attack, along with precautions to take, can be
   found at http://xforce.iss.net.[TABLE NOT SHOWN]

More information about the Speakup mailing list