NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2000

Subject: FLASH: Update and Correction on Windows Trinoo Report
From: The SANS Institute (sanssans.org)
Date: Thu Feb 24 2000 - 16:05:23 CST

Next message: The SANS Institute: "SANS Windows Security Digest Vol. 3 Num. 2"
Previous message: The SANS Institute: "SANs NewsBites Vol. 2 Num. 8"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: Security Express (SD397643)
From: Alan at the SANS NewsBites Service

Gary Flynn of James Madison University has posted substantial additional
information about the copies of trinoo-like code found on Windows PCs,
described in the NewsBites that you received earlier today.

In a report entitled "Wintrinoo" provided at 3:01 PM EST, Gary noted
the following:

1. The number of machines infected was not 160. He reported that he
   found 149 machines that were listening on port 34555, but that the
   number of machines actually infected may have been substantially less
   because of possibility of false positives.

2. He also reported that he discovered 16 of the computers (all running
Windows, and at least 5 running Windows98) "sending out large numbers
of UDP packets on random ports."

3. He noted that all 16 machines were infected with the BackOrifice
remote control Trojan.

4. After removing BackOrifice from one of the machines, he discovered
   the computer again participating in a UDP flood. That led to the discovery
   of a program that was reported to CERT as a possible variant of the
   trinoo distributed denial of service tool. CERT is analyzing this.

Gary's technical expertise and rapid response is helping the entire
community to be better informed. We're sorry that our initial report
didn't have the precision that Gary's latest posting has provided.
We'll keep you informed as we hear of new developments.

The bottom line: PCs running Windows at universities have been found
participating in distributed denial of service attacks. The next step
is to ask the virus detection vendors to find and eradicate the flooding
programs -- Gary has forwarded the code to them.

Alan

Next message: The SANS Institute: "SANS Windows Security Digest Vol. 3 Num. 2"
Previous message: The SANS Institute: "SANs NewsBites Vol. 2 Num. 8"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]