[Snort-sigs] SID 235

Warchild warchild at ...288...
Fri Mar 22 20:31:02 EST 2002


--
Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00
Attacker to Master default mdie password";flags: A+; content:"killme";
classtype:bad-unknown; sid:235; rev:1;) 

--
Sid:
235

--
Summary:
The password to execute the 'mdie' command on a trin00 master was
detected.

--
Impact:
Chances are good that the trin00 master daemon is running on your
machine.  This means that someone has nearly complete control of your
machine, and is most likely commanding hordes of client machines in a
Distributed Denial of Service (DDoS) attack against one or more victim
machines/networks.

--
Detailed Information:
Once a trin00 network has been established, an attacker has the
ability to tell the master daemon to tell all the clients to shut
down.  This is done using the 'mdie' command.  The default password
was "killme".

--
Attack Scenarios:
As part of a large scale attack against a machine or a network, an
attacker will comprimise large numbers of machines which will form the
army that the trin00 master daemon will command.  The master daemon
typically instructs the clients to send mass-quantities of packets to
a set of victim hosts.  If the traffic is sufficient, the victim
machines will become resource deprived.

To stop the attack, an attacker may use the 'mdie' command to shutdown
the broadcast (client) hosts.

--
Ease of Attack:
Medium.  Use of this tool requires a comprimised system from which to
to run (unless you choose to just run it on your own machine).  Once a
machine has been comprimised, all that is required to become part of
the trin00 network is proper permissions and a network connection.

--
False Positives:
Rare.  Communication on a high tcp port like this isn't that uncommon,
but traffic containing the string "killme" is rare enough such that
false positives are minimized.

--
False Negatives:
Possible.  The use of the 'mdie' command requires that you know the
master daemon's password in the first place, so changing this password
doesn't make sense.  That said, the chances of someone changing this
particular password are slim, thereby reducing false negatives.  Also
keep in mind that the master daemon can be configured to run on nearly
any port, so that may increase the number of false negatives.

--
Corrective Action:
Disconnect your machine(s) from the network immediately.  Attempt to
determine if your machine was being used as part of a trin00 network.
This may be difficult, given that the system has likely been
comprimised and had a root kit installed.   

--
Contributors:
Warchild <warchild at ...288...>

-- 
Additional References:
http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm




More information about the Snort-sigs mailing list