HT: Wintrinloo trojan shows up on PCsgreenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread |
....update from Alan Paller at SANS ...//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\
Gary Flynn of James Madison University has posted substantial additional information about the copies of trinoo-like code found on Windows PCs, described in the NewsBites that you received earlier today.
In a report entitled "Wintrinoo" provided at 3:01 PM EST (02/24/00), Gary noted the following:
1. The number of machines infected was not 160. He reported that he found 149 machines that were listening on port 34555, but that the number of machines actually infected may have been substantially less because of possibility of false positives.
2. He also reported that he discovered 16 of the computers (all running Windows, and at least 5 running Windows98) "sending out large numbers of UDP packets on random ports."
3. He noted that all 16 machines were infected with the BackOrifice remote control Trojan.
4. After removing BackOrifice from one of the machines, he discovered the computer again participating in a UDP flood. That led to the discovery of a program that was reported to CERT as a possible variant of the trinoo distributed denial of service tool. CERT is analyzing this.
Gary's technical expertise and rapid response is helping the entire community to be better informed. We're sorry that our initial report didn't have the precision that Gary's latest posting has provided. We'll keep you informed as we hear of new developments.
The bottom line: PCs running Windows at universities have been found participating in distributed denial of service attacks. The next step is to ask the virus detection vendors to find and eradicate the flooding programs -- Gary has forwarded the code to them.
//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\//\\
The presence of BackOrifice on the UDP flooding machines makes it pretty clear that BO is still the preferred delivery medium ... but I predict that it won't be long before users are finding these DDoS tools on their own systems ... installed via Windows F&P sharing!
Steve Gibson, Gibson Research Corporation http://grc.com For latest (free) ZoneAlarm 2.0.xx news: http://grc.com/zonealarm.htm
__________________________________
-- mush (discovery@shields.up), February 25, 2000
How many Mac's were found to have those trojans installed on them?
-- checkthestats (buyquality@security.first), February 25, 2000.
Donno but I think maybe the mustard and ketchup combo would confuse it in any case.
-- mush (discovery@shields.up), February 25, 2000.