Home | What's New | FAQ | Site Contents | Contact Us | SEARCH |
About Us | Alerts | Events | Improving Security | Other Resources | Reports | Survivability Research | Training and Education |
CERT® Incident Note IN-2000-01Windows Based DDOS AgentsUpdated: Tuesday, October 3, 2000Date: Monday February 28, 2000 Description: We have received reports indicating intruders are beginning to deploy and utilize windows based denial of service agents to launch distributed denial of service attacks. On Feburary 16th we began receiving reports of a program called "service.exe" that appears to be a Windows version of trinoo. This program listens on UDP port 34555. More details about this tool are available on Gary Flynn's web site at: We have seen two almost identical versions of the "service.exe" program to date (they vary by 12 bytes but produce the same results for strings(1)). The binaries we have seen have one of the following MD5 checksums:
In at least one incident, machines runing the "service.exe" program were also running backorifice. We have also received reports of administrators finding other "remote administration" intruder tools on machines that were running "service.exe". Note that the tool TFN2K, first released in December 1999, will run on Windows NT. The existance of distributed denial of service tools for Windows platforms is not new; however, we are beginning to receive reports of these tools being installed on compromised systems. Impact: Windows machines have been used as intermediaries in various types of denial of service attacks for years; however, the development and deployment of the technology to use Windows machines as agents in a distributed denial of service attacks represents an overall increase in the threat of denial of service attacks. Solution: Standard safe computing practices will prevent intruders from installing the service.exe program on your machine(s).
Author: Jed Pickel This document is available from: http://www.cert.org/incident_notes/IN-2000-01.html CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address:
Using encryptionWe strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information.
Getting security informationCERT publications and other security information are available from our web siteTo subscribe to the CERT mailing list for advisories and bulletins, send email to [email protected]. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University. |