NATIONAL INFRASTRUCTURE PROTECTION CENTER; TRINOO/Tribal Flood
                                 Net/tfn2k
                                      
   During the past few weeks the NIPC has received multiple reports of
   intruders installing distributed denial of service (DDOS) tools on
   various computer systems.  This is being done to create large networks
   of hosts capable of launching coordinated packet flooding denial of
   service attacks.  Access to these systems has been accomplished
   primarily through compromises exploiting known UNIX remote procedure
   call (RPC) vulnerabilities. The multiple denial of service tools
   include TRINOO, and Tribe Flood Network (or TFN & tfn2k). The NIPC is
   highly concerned about the scale and significance of these reports for
   the following reasons:
     * Many of the victims have high bandwidth Internet connections,
       representing a possibly significant threat to Internet traffic.
     * The technical vulnerabilities used to install these denial of
       service tools are widespread, well-known and readily accessible on
       most networked systems throughout the Internet.
     * The tools appear to be undergoing active development, testing and
       deployment on the Internet.
     * The activity often stops once system owners start filtering for
       TRINOO/TFN and related activity.
       
   Possible motives for this malicious activity include exploit
   demonstration, exploration and reconnaissance, or preparation for
   widespread denial of service attacks.
   
   NIPC requests that all computer network owners and organizations
   examine their systems for evidence of these DDOS tools.  Specific
   technical instructions are available from CERT-CC, SANS, NIPC, or
   other sources.
   
   The NIPC is making available on this web site a software application
   that can be used to detect the presence of these DDOS tools.
   
   Recipients are asked to report significant or suspected criminal
   activity to their [1]local FBI office or the NIPC Watch/Warning Unit,
   and to computer emergency response support and other law enforcement
   agencies, as appropriate. The NIPC Watch and Warning Unit can be
   reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov.
   
   The tool (find_ddos) is available for Solaris on Sparc or Intel
   platforms and Linux on Intel platforms.  It has been designed to
   detect tfn2k client, tfn2k daemon, trinoo daemon, trinoo  master, tfn
   daemon, tfn client, stacheldraht master, stacheldraht client,
   stachelddraht demon and tfn-rush client.
   
   The new version (3.3) should solve some out-of-memory errors, prevent
   self-detection, and support process scanning on Solaris 2.5.1.
   Consult the [2]readme file for more information.
   
   This download is for Solaris 2.5.1, 2.6, and Solaris 7 on the Sparc or
   Intel platforms, and Linux on Intel platforms.
   
   This tool will not work on a Windows 95/98/NT-based PC.
     * [3]Readme
     * [4]Solaris on Sparc Executable File (tar, compressed format)
       version 4.0
     * [5]Linux on Intel Executable File (tar, compressed format) version
       4.0
     * [6]Solaris on Intel Executable File (tar, compressed format)
       version 4.0
     * [7]Checksums (The MD5 Checksums are provided to verify the
       integrity of the files.)
       
   Windows information
   Recently the NIPC has been receiving reports of a Microsoft Windows
   version of the TRINOO virus.  The NIPC is not developing a Windows
   version of the above find_ddos tool.  It is expected that several
   commercial virus detection software producers will soon create
   versions of their tools to scan for windows DDOS tools.  Please check
   with the virus detection software manufacturer of your choice on the
   availability of these tools.   As information arrives we will try to
   list sources of these tools.
   
   Trend Micro ([8]http://www.antivirus.com) has a free on-line virus
   scanner tool available on their website that can detect the presence
   of the daemon agent, TROJ_TRINOO, on Windows 32-bit platforms.
   
   This announcement does not constitute an endorsement for the scanning
   tool or Trend Micro and is provided as information only.  For detailed
   information regarding this tool visit the Trend Micro web site at
   [9]http://housecall.antivirus.com.  For additional security alert
   information provided by Trend Micro on TROJ_TRINOO, STACHELDRAHT, TFN,
   and TRINOO visit [10]http://www.antivirus.com/vinfo.
   
   
      [11]Press Release | [12]NIPC Home Page | [13]Back to Advisories,
                            Alerts and Warnings

References

   1. http://www.fbi.gov/contact/fo/fo.htm
   2. http://foia.fbi.gov/nipc/README
   3. http://foia.fbi.gov/nipc/README
   4. http://foia.fbi.gov/nipc/find_ddos_v40_sparc.tar.Z
   5. http://foia.fbi.gov/nipc/find_ddos_v40_linux.tar.Z
   6. http://foia.fbi.gov/nipc/find_ddos_v40_intel.tar.Z
   7. http://foia.fbi.gov/nipc/checksums
   8. http://www.antivirus.com/
   9. http://housecall.antivirus.com/
  10. http://www.antivirus.com/vinfo
  11. http://www.fbi.gov/pressrm/pressrel/pressrel99/prtrinoo.htm
  12. http://www.fbi.gov/nipc/welcome.htm
  13. http://www.fbi.gov/nipc/nipcaaw.htm