Subject: ISSalert: ISS Security Alert: New Variants of Trinity and Stacheldraht Distributed Denial of Service Tools Date: Mon, 25 Sep 2000 19:58:33 -0400 From: X-Force Internet Security Systems Security Alert September 25, 2000 New Variants of Trinity and Stacheldraht Distributed Denial of Service Tools Synopsis: New versions of Stacheldraht and Trinity distributed denial of service (DDoS) attack tools have been found in the wild. The new versions of Stacheldraht include "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 1.666+smurf+yps". A variant of the Trinity tool called "entitee" has also been reported. Impact: Distributed Denial of Service attacks can bring down a network by flooding target machines with large amounts of traffic. In February of this year, several of the Internet's largest Web sites, including Yahoo, Amazon.com, eBay, and Buy.com were disrupted for extended periods of time by DDoS tools. These new tools were detected in corporate networks, as well as in personal computers with high speed network connections. The prevalence of high speed DSL and cable modem service magnifies these tools' potential effectiveness. Description: For an overview of the original Stacheldraht program, refer to the X-Force Alert, "Denial of Service Attack using the TFN2K and Stacheldraht programs", at: http://xforce.iss.net/alerts/advise43.php. For more information, Dave Dittrich wrote a detailed analysis, which can be found at: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt. In the newer version of the Stacheldraht program, there are several new commands. The following is complete list of commands in this new version: .mtimer .mudp .micmp .msyn .mack .mnul .mstream .mhavoc .mrandom .mip .mfdns .msort .showalive .madd .mlist .msadd .msrem .help .setusize .setisize .mdie .sprange .mstop .killall .showdead .forceit .left .enter The following commands have been added since the first versions of Stacheldraht: .mack Sends a TCP ACK flood. .mnul Send a NULL flood, which is like a TCP SYN flood, but with TCP flags set to 0. .mstream Send a stream attack flood. (see http://xforce.iss.net/alerts/advise48.php) .mhavoc Send a "HAVOC" flood. This sends mixed ICMP, UDP, SYN, TCP random flags and IP headers simultaneously. .mrandom Sends a flood of packets with random TCP headers. .mip Sends a flood of regular IP headers. .mfdns Sets the source port for floods to port 53. .msadd Add a master server to the list of master servers. .forceit This will cause a .mstop command to stop all agents from flooding, even if they are not flooding. .left Tells you how much time is left before an agent stops flooding. IRC flooding commands: .enter Enter the IRC flooding interface. .part Part a channel. .join Join a channel. .msg Send a message flood. In this version, the user is prompted for a password when building the binaries. There is no default password; however, there are some default values used. When running, the agent "td" uses the process name "(kswapd)". When it spawns child processes, they are named "httpd". The master server "mserv" uses the process name "(httpd)". When the master server is communicating with the agent, ICMP packets are used. Each command is identified by the ICMP ID header field. In the version obtained by the X-Force, the values are as follows: For the network flooding commands and replies: 699 Add an IP address to the list of addresses to be flooded 6666 Send IP header flood 7778 Send Stream attack 9000 Add new master server to the Stacheldraht network 9000 Spoof test reply 9001 Remove master server 9002 Distribute new versions of the agent 9003 Shutdown agent 9004 Set the amount of time to flood 9005 Set the ICMP packet size for ICMP-based floods 9006 Set the UDP packet size for UDP-based floods 9007 Set the port range for SYN floods 9012 Start a UDP flood 9013 Start a SYN flood 9014 Set the port for SYN floods 9015 Stop flooding 9016 Change spoofing mode 9017 Replies from the client 9028 Send Smurf attack 9055 Send ICMP flood 9113 Start an ACK flood 9213 Start a NULL flood 9668 Spoof test 9934 Send Havoc flood 9935 Send random TCP header flood 9936 Send DNS packet flood For the IRC flooding commands: 1 Join IRC 4 Part Channel 5 Join Channel 6 Message Flood For an overview of the Trinity DDoS tool, refer to the X-Force Alert, "Trinity v3 Distributed Denial of Service tool", at: http://xforce.iss.net/alerts/advise59.php. At least 8 different versions of Trinity have been found on the Undernet Internet Relay Chat (IRC) network by the Undernet operators, each using different a IRC channel. On September 17, 2000, "Rod R00T" reported a new variant of Trinity, called "entitee", to the INCIDENTS mailing list at SecurityFocus.com. It is functionally equivalent to Trinity v3, but it uses different channels, keys, and password. Trinity v3 responds to commands in the channel with a line beginning with "(trinity)", while entitee responds with lines beginning with "(entitee)". Recommendations: The Stacheldraht and Trinity signatures in the ISS RealSecure intrustion detection software are being updated to detect these new tools. To find a Stacheldraht agent on your computer, use the lsof command: [root@unix /root]# lsof | grep raw td 1217 root 3u raw 2083 00000000:0001->00000000:0000 st=07 [root@unix /root]# lsof -p 1217 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME td 1217 root cwd DIR 8,1 4096 497157 /root/stach+antigl/client td 1217 root rtd DIR 8,1 4096 2 / td 1217 root txt REG 8,1 99396 497190 /root/stach+antigl/client/td td 1217 root mem REG 8,1 344890 416837 /lib/ld-2.1.2.so td 1217 root mem REG 8,1 4118299 416844 /lib/libc-2.1.2.so td 1217 root 0u raw 2218 00000000:0001->00000000:0000 st=07 td 1217 root 1u CHR 136,1 3 /dev/pts/1 td 1217 root 2u CHR 136,1 3 /dev/pts/1 td 1217 root 3u raw 2083 00000000:0001->00000000:0000 st=07 To locate a Stacheldraht master server on your computer: [root@unix stach+antigl]# lsof -i TCP:60001 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mserv 1346 root 3u IPv4 2332 TCP *:60001 (LISTEN) [root@unix stach+antigl]# lsof -p 1346 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mserv 1346 root cwd DIR 8,1 4096 497149 /root/stach+antigl mserv 1346 root rtd DIR 8,1 4096 2 / mserv 1346 root txt REG 8,1 1356288 497188 /root/stach+antigl/mserv mserv 1346 root 0u CHR 136,0 2 /dev/pts/0 mserv 1346 root 1u CHR 136,0 2 /dev/pts/0 mserv 1346 root 2u CHR 136,0 2 /dev/pts/0 mserv 1346 root 3u IPv4 2332 TCP *:60001 (LISTEN) For information on locating Trinity or Entitee on your machine, please see the X-Force Alert, "Trinity v3 Distributed Denial of Service tool", at: http://xforce.iss.net/alerts/advise59.php. The ISS X-Force will provide additional functionality to detect these vulnerabilities in upcoming X-Press Updates for Internet Scanner, RealSecure, and System Scanner. Additional Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2000-0138 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to X-Force, xforce@iss.net of Internet Security Systems, Inc.