CERT® Incident Note IN-2000-01
Windows Based DDOS Agents
Updated: Tuesday, October 3, 2000
Date: Monday February 28, 2000
Description:
We have received reports indicating intruders are beginning to deploy
and utilize windows based denial of service agents to launch
distributed denial of service attacks.
On Feburary 16th we began receiving reports of a program called
"service.exe" that appears to be a Windows version of trinoo.
This program listens on UDP port 34555. More details about this tool
are available on Gary Flynn's web site at:
-
http://www.jmu.edu/computing/info-security/engineering/issues/wintrino.shtml
We have seen two almost identical versions of the "service.exe"
program to date (they vary by 12 bytes but produce the same results
for strings(1)). The binaries we have seen have one of the following
MD5 checksums:
- MD5 (service.exe) = 03fe58987d7dc07e736c13b8bee2e616
- MD5 (service.exe) = 1d45f8425ef969eba40091e330921757
In at least one incident, machines runing the "service.exe" program
were also running backoriface.
We have also received reports of administrators finding other "remote
administration" intruder tools on machines that were running
"service.exe".
Note that the tool TFN2K,
first released in December 1999, will run on Windows NT. The
existance of distributed denial of service tools for Windows platforms
is not new; however, we are beginning to receive reports of these
tools being installed on compromised systems.
Impact:
Windows machines have been used as intermediaries in various types of
denial of service attacks for years; however, the development and
deployment of the technology to use Windows machines as agents in a
distributed denial of service attacks represents an overall increase
in the threat of denial of service attacks.
Solution:
Standard safe computing practices will prevent intruders from
installing the service.exe program on your machine(s).
- Don't run programs of unknown origin, regardless of who sent you the
program. Likewise, don't send programs of unknown origin to your
friends or coworkers simply because they are amusing -- it might be a
Trojan horse.
- Before opening any email attachments, be sure you know what the
source of the attachment was. It is not enough that the mail
originated from an address you recognize. The Melissa virus spread
precisely because it originated from a familiar address. Malicious
code might be distributed in amusing or enticing programs. If you must
open an attachment before you can verify the source, do so in an
isolated environment. If you are unsure how to proceed, contact your
local technical support organization.
- Be sure your
anti-virus software is, and remains, up-to-date.
- Some products, such as Microsoft Office, Lotus Notes and others,
include the ability to execute code embedded in documents. For any
such products you use, disable the automatic execution of code
embedded in documents. For example, in Microsoft Word 97, enable the
"Macro Virus Protection" feature by choosing Tools->Options->General
and selecting the appropriate checkbox. In Lotus Notes 4.6, set a
restrictive Execution Control List (ECL) by setting the options found
in File->Tools->User Preferences->Security Options to restrict the
execution of code to trusted signers. For other products, consult your
documentation.
- Use data-integrity tools. Data-integrity
tools use strong cryptography to help you determine which files,
if any, may have changed on a system. This may be crucial information
to determine the most appropriate response to a security event. The
use of these tools requires that they be installed before a security
event has taken place.
- Avoid the use of MIME types that cause interpreters or shells to
be invoked.
- Be aware of the risks involved in the use of "mobile code" such as
Active X, Java, and JavaScript. It is often the case that electronic
mail programs use the same code that web browsers use to render
HTML. Vulnerabilities that affect ActiveX, Java, and Javascript often
are applicable to electronic mail as well as web pages.
Author: Jed Pickel
This document is available from:
http://www.cert.org/incident_notes/IN-2000-01.html
CERT/CC Contact Information
Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
-
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more
information.
Getting security information
CERT publications and other security information are available from
our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.
Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University.
