[Snort-sigs] SID 233

Warchild warchild at ...288...
Fri Mar 22 20:13:03 EST 2002


--
Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS
Trin00\:Attacker to Master default startup password";flags: A+;
content:"betaalmostdone"; reference:arachnids,197;
classtype:attempted-dos; sid:233; rev:1;) 

--
Sid:
233

--
Summary:
The default password ("betaalmostdone") for the trin00 master daemon
was detected coming into the default port for the trin00 DDoS suite.

--
Impact:
Chances are good that the trin00 master daemon is running on your
machine.  This means that someone has nearly complete control of your
machine, and is most likely commanding hordes of client machines in a
Distributed Denial of Service (DDoS) attack against one or more victim
machines/networks.

--
Detailed Information:
Trinoo was the first DDoS tool to make serious headlines.  The first
step is to create a master daemon.  The master daemon is used to
control the army of trin00 clients.  To give the attacker a sense of
security, the master daemon requires a password before commands may be
executed.  The default password for the most recent release is
"betaalmostdone".

--
Attack Scenarios:
As part of a large scale attack against a machine or a network, an
attacker will comprimise large numbers of machines which will form the
army that the trin00 master daemon will command.  The master daemon
typically instructs the clients to send mass-quantities of packets to
a set of victim hosts.  If the traffic is sufficient, the victim
machines will become resource deprived.

--
Ease of Attack:
Medium.  Use of this tool requires a comprimised system from which to
to run (unless you choose to just run it on your own machine).  Once a
machine has been comprimsed, 

--
False Positives:
Rare.  The authentication for the master daemon is fairly simple.
This, in addition to the fact that communication on a high port like
this is not very common, makes this rule fairly tight.

--
False Negatives:
Fairly common.  Since one of the ideas behind the password was to
prevent "owned" machines from being "re-owned", a common practice was
to change the default password.

--
Corrective Action:
Disconnect your machine(s) from the network immediately.  Attempt to
determine if your machine was being used as part of a trin00 network.
This may be difficult, given that the system has likely been
comprimised and had a root kit installed.   

--
Contributors:
Warchild <warchild at ...288...>

-- 
Additional References:
http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm




More information about the Snort-sigs mailing list