Subject: ISSalert: Internet Security Systems Security Alert: Trinity v3 Distributed Denial of Service tool Date: Tue, 5 Sep 2000 11:42:28 -0400 (EDT) From: X-Force Internet Security Systems Security Alert September 5, 2000 Trinity v3 Distributed Denial of Service tool Synopsis: A new Distributed Denial of Service tool, "Trinity v3", has been discovered in the wild. There have been reports of up to 400 hosts running the Trinity agent. In one Internet Relay Chat (IRC) channel on the Undernet network, there are 50 compromised hosts with Trinity running, with new hosts appearing every day. It is not known how many different versions of Trinity are in the wild. Impact: Distributed Denial of Service attacks can bring down a network by flooding target machines with large amounts of traffic. In February of this year, several of the Internet's biggest websites, including Yahoo, Amazon.com, Ebay and Buy.com were taken down for extended periods of time by tools similar to Trinity. Description: Trinity is a Distributed Denial of Service tool that is controlled by IRC. In the version that the X-Force has been analyzing, the agent binary is installed on a Linux system at /usr/lib/idle.so. When idle.so is started, it connects to an Undernet IRC server on port 6667. There is a list of servers in the binary: 204.127.145.17 216.24.134.10 208.51.158.10 199.170.91.114 207.173.16.33 207.96.122.250 205.252.46.98 216.225.7.155 205.188.149.3 207.69.200.131 207.114.4.35 When Trinity connects, it sets its nickname to the first 6 characters of the host name of the affected machine, plus 3 random letters or numbers. For example, the computer named machine.example.com would connect and set its nickname to machinabc, where abc is 3 random letters or numbers. If there is a period in the first 6 characters of the host name, the period is replaced by an underscore. In our copy of Trinity, it joins the IRC channel #b3eblebr0x using a special key. Once it's in the channel, the agent will wait for commands. Commands can be sent to individual Trinity agents, or sent to the channel and all agents will process the command. The flooding commands have this format: