On Tue, 4 Jan 2000, James Triplett wrote: > I suppose this is legit. However, they are asking us to run > AS ROOT, some unknown executable on all our important systems. > Goes against the most basic security procedures! I agree, bad bad bad. What's it do anyway? From the 'readme' I quote: "The tool will detect several known denial-of-service attack tools by looking at all 32-bit ELF format files in a given directory tree, and comparing the files'strings and symbol table against a set of known "fingerprints" for TFN and trinoo tools. If a file is considered a close enough match to one of these fingerprints, it is identified with that file." erm what other kinds of 'known "fingerprints"' does it detect and report on? less from the readme (in "quotes", my smartass remarks as well): "* The tool was written in C so that it will have minimal reliance on system binaries, so it will not be impacted by most "root kits". However, it is susceptable to a kernel loadable module-based root kit." oops, but if that's the case you have bigger sheep to shear. "* Because the tool was written in C, it must be compiled for a specific operating system. This tool has only been compiled to run on Solaris 2.x and higher operating systems. It has only been tested on Solaris 2.5.1, Solaris 2.6, and Solaris 7." Is it likely that this attack only affects solaris? Probably not considering the huge ammount of linux targets out there unpatched, unwatched and unknowing. Is a linux binary in the making? "* Some differences in the symbol table may be a result of differences in how the distributed denial-of-service program was compiled, rather than a change in the source code of the program. This will not cause the program to be missed, but will cause differences to be reported that are not significant." That's a sophisticated scan. Where _is_ that source... > No source provided, no way to ensure that this isn't just another trojan... > (even the fbi.gov site could be hacked, and anyway how do they know what > is in the executable?) It _has_ been hacked in the past. At present it would be, to say the least, daring attack vector, I must say. Owning www.fbi.gov and distributing a trinoo 'fix'. Possible? Yes, but unlikely, yet amusing. Let the 'post-cyberpunks' write about that one. No source is bad, but understandable, cuz it seems like a very powerful tool that can be used to scan for any number or kind of "fingerprints". Anyone asked for it? Will someone establish a 'Trinoo Fix Liscensing Association' and sue you if you reverse engineer their compiled code and provide a compatible open source fix of your own? Even if you put it on a DVD with ReCSS? (the inverse of DeCSS: crapilly encrypt your _own_ DVD's at home. ;) Oh and thanks MJR et al, a rapid response to what is shaping up to be a very broad and difficult attack. Their code is very likely legit, elegant and effective, though of course run it on your solaris machines while they are _disconnected_ from the net, as following reasonable computer forensic practices. spiff
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:48 PDT