Login
Login

Trinoo

{{ infobox computer virus

| Fullname = Trinoo

| Image =

| Common name =

| Technical name =

| Aliases =

| Family =

| Type = Botnet

| Subtype =

| IsolationDate =

| Origin =

| Author =

| Ports used =

| OSes = Linux, Solaris

| Filesize = 13.6kb

| Language = C

}}

The trinoo or trin00 is a set of computer programs to conduct a DDoS attack. It is believed that trinoo networks have been set up on thousands of systems on the Internet that have been compromised by remote buffer overrun exploits.{{Cite web |url=http://staff.washington.edu/dittrich/misc/trinoo.analysis |title=Archived copy |access-date=2006-07-29 |archive-date=2006-08-07 |archive-url=https://web.archive.org/web/20060807231933/http://staff.washington.edu/dittrich/misc/trinoo.analysis |url-status=dead }}

The first suspected trinoo attacks are described in CERT Incident Note 99–04.{{cite web

| url = http://www.cert.org/incident_notes/IN-99-04.html

| title = CERT® Incident Note IN-99-04

| publisher = CERT

| date = April 1999

| accessdate = July 27, 2014

| archivedate = October 16, 2009

| archiveurl = https://web.archive.org/web/20091016021733/http://www.cert.org/incident_notes/IN-99-04.html

| url-status = live

}} A trinoo network has been connected to the February 2000 distributed denial of service attack on the Yahoo! website.

{{cite journal

| last = Sinrod

| first = Eric J.

| author-link =

|author2=William P. Reilly

| title = Cyber Crimes: A Practical Approach to the Application of Federal Computer Crime Laws

| journal = Santa Clara Computer and High Technology Law Journal

| volume = 16

| issue = 2

| pages = 17

| publisher = Santa Clara University School of Law

| location = California

| date = May 2000

| url = http://www.sinrodlaw.com/CyberCrime.pdf

| format = PDF 235 KB

| issn = 0882-3383

| accessdate = 2008-11-04 }}

Trinoo is famous for allowing attackers to leave a message in a folder called cry_baby. The file is self replicating and is modified on a regular basis as long as port 80 is active.

Trinoo was authored by a teenager from New Orleans who went by the alias phifli.

Using Trinoo

=Step 1=

The attacker, using a compromised host, compiles a list of machines that can be compromised. Most of this process is done automatically from the compromised host, because the host stores a mount of information including how to find other hosts to compromise.

=Step 2=

As soon as the list of machines that can be compromised has been compiled, scripts are run to compromise them and convert them into the Trinoo Masters or Daemons. One Master can control multiple Daemons. The Daemons are the compromised hosts that launch the actual UDP floods against the victim machine.

=Step 3=

The DDoS attack is launched when the attacker issues a command on the Master hosts. The Masters instruct every Daemon to start a DoS attack against the IP address specified in the command, many DoSs comprise the DDoS attack.

See also

{{columns-list|colwidth=30em|

}}

References

{{reflist}}

External links

  • [https://web.archive.org/web/20051226150250/http://service1.symantec.com/sarc/sarc.nsf/html/w32.dos.trinoo.html Trinoo description] by Symantec
  • [http://packetstormsecurity.org/distributed/trinoo.analysis.txt Trinoo Analysis] by David Dittrich
  • [http://packetstormsecurity.org/distributed/trinoo.tgz Trinoo] source code

Category:Botnets

Category:Denial-of-service attacks

{{malware-stub}}