[Snort-sigs] SID 231

Warchild warchild at ...288...
Fri Mar 22 19:58:05 EST 2002

Here's another trinoo writeup.  Basically the same as the others I've done,
but with modifications made to fit this signature.  Oh yeah, and I spelled
"comprimised" right this time.

alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS
content:"l44";reference:arachnids,186; classtype:attempted-dos;
sid:231; rev:1;) 


A packet containing a potential trin00 command was detected.

System comprimise if the command was destined for your machine
(indicating your machine is the master).  On the flipside, if your
machine is the one sending the command, chances are high that you
have also been comprimised.  Once a machine becomes part of a trin00
network, a Denial of Service (DoS) is typically initiated against one
(or more) victim machines.

Detailed Information:
Trinoo was the first DDoS tool to make serious headlines.  Once the
client has been installed on a comprimised machine and a master is
ready and listening, the master can send any number of commands to its
loyal troops.  The only catch is that the command must contain the
string 'l44'.

Attack Scenarios:
As part of a large scale attack against a machine or a network, an
attacker will comprimise large numbers of machines which will form the
army that the trin00 master daemon will command.  The master daemon
typically instructs the clients to send mass-quantities of packets to
a set of victim hosts.  If the traffic is sufficient, the victim
machines will become resource deprived.

Ease of Attack:
Medium.  Use of this tool requires a comprimised system from which to
to run (unless you choose to just run it on your own machine).  Once a
machine has been comprimised, all that is required to become part of
the trin00 network is proper permissions and a network connection.

False Positives:
Rare.  The current version of trin00 ships with a configuration
sending a commands over udp to port 31335.  Communication via udp
to such a high port is fairly uncommon.  That, coupled with the
super-secret 'l44' check, make this rule fairly foolproof.

False Negatives:
Rare unless newer versions change port/protocol/communication

Corrective Action:
Disconnect your machine(s) from the network immediately.  Attempt to
determine if your machine was being used as part of a trin00 network.
This may be difficult, given that the system has likely been
comprimised and had a root kit installed.   

Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list