This page is no longer maintained and is preserved for archival reference purposes only.
WINTRINOO DDOS Incident Description
During the week of February 13, 2000 unusual network events led to the discovery of approximately sixteen computers sending out large numbers of UDP packets to random ports. All sixteen computers were running Microsoft Windows 98. Further investigation revealed that all the computers were compromised with the Back Orifice remote control trojan. After removing the trojan from one of the machines, the machine was later observed participating in another UDP flood. This led to the discovery of a program running on the machines which is a variant of the trinoo denial of service tool. The program was forwarded to CERT, NIPC, and a variety of anti-virus vendors for analysis. All the computers found were student owned computers on the student residence network.
Our routers have been configured since 1997 to prevent our computers from forging their source address so any packets leaving our network are easily traced back to us. Judging from log information, the computers were not used in the high profile attacks during the week of February 6.
The appearance of this type of program for the Windows platform was just a matter of time. At one time, careless operation of a "personal" computer could result in accepting a virus that destroyed files on just that machine. Then, with the introduction of remote control trojans, careless operation of a "personal" computer could result in the compromise of all remotely accessible resources. Now, acceptance of unknown files and other risky behavior can lead to the use of a "personal" computer as an attack vehicle against any site on the Internet. The last two scenarios have, in the past, generally been the province of cracked multi-user operating systems such as unix. But today's "personal" computer is no longer the simple standalone machine it once was. The problem is made worse by the proliferation of "always-on" connections. Those innocent screen savers, pictures, and games that we once downloaded with abandon have much more ability to play havoc today.
Detection and Cleanup
Traditionally, unfriendly code on Windows desktops has been handled with anti-virus tools. This case is no different. Privacy Software provided us with a detection update in less than an hour. Norton has an update which is included in the Internet Live Update dated 02/24/00 version 20224a. NAI and many other vendors have also updated their products. JMU users can (and should) download both Privacy Software's BOClean and Norton. Those logging in to our Novell network will have the Norton update installed automatically...no action is necessary. Other users who have already installed Norton can use the LiveUpdate feature to get the latest signature file.
Traditional anti-virus products may not detect or remove a running version of this program unless the real-time protection is enabled and the computer is rebooted. You should test your virus product to see how it operates. Caution should be exercised in using traditional anti-virus tools in a manual scan mode. Some of the products will report the infected file but not delete it even though the product will report it as being deleted. Also, regardless if the file is deleted, the running process is usually still active until the computer is rebooted. Privacy Software's BOClean product works differently and will detect the running process, disable it, remove the file, and remove the startup entry all in real time. The same situation applies for remote control trojans like Back Orifice. This behavior is the result of trojans and wintrinoo being standalone, running processes rather than virus code attached to files. The statements made herein in no way represent an endorsement of any commercial product by James Madison University.
The file name in this particular distribution is called service.exe. It is 23,145 bytes in length. When run, the program installs a copy of itself in the \windows\system directory and creates a registry entry in HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run so it will restart each time the computer is booted. Computers may have at least two copies of the file: the original and the installation copy.
If you're sitting at the machine, you can determine if it is infected by hitting CNTRL-ALT-DELETE to bring up the Window task list. The process you're looking for is called service.exe. Windows NT machines run a services.exe process which is normal and should not be confused with service.exe. The process can be shut down by clicking End Task but will restart unless the associated registry entry is removed. The procedure to remove this entry is the same as that for removing any trojan entry.
Another method of determining if the computer you're sitting at is infected is by typing the MS-DOS command "netstat -an" in an MS-DOS window. This will reveal if the machine is listening on port 34555. Again, the procedure for this examination is identical to that of looking for other trojan ports.
The program listens on UDP port 34555 for trinoo style "png" packets and responds with trinoo style "PONG" packets to UDP port 35555. This activity seemed to precede a UDP flooding incident. Blocking port 34555 seemed to block further incidents. As reported elsewhere, unlike unix trinoo daemons, this program does not send a "hello" packet back to the compiled in master. Instead, commands to the daemon include a password.
You may be able to reduce risk by blocking incoming packets destined for UDP port 34555. Installing router ACLs that log packets destined for that port will show attempts to use the compromised machines.
I've written a windows program that will remotely scan for wintrinoo infections. Download wtrinscan. The MD5 checksum is 37e23beda7e7ac1ebd5e984e63ebf532.
A more general scanning tool, called Remote Intrusion Detector (RID), will also detect wintrinoo. It runs on unix platforms.
Symptoms here of an active attack included high router CPU utilization. This may be due to the high number of filters in our routers so I don't know if others will see the same symptom. Network management equipment should be configured to alert on unusually high levels of UDP packets per second. Actually, network management equipment should be configured to alert on unusually high levels of any type of packet (UDP, TCP, ICMP) so other forms of attack or traffic related problems will be detected in a timely manner. We saw increases of several thousand packets per second during an incident. Our incidents typically lasted for only a few minutes and were concentrated in the early morning hours.
I loaded the program on Windows NT4, Windows 98, and Windows 95 and in all cases the program ran and opened port 34555. It responded to the client 'png' command on NT SP6 and Windows 98. I haven't reproduced the flooding behavior so I don't know if the program would actually work as a DDOS tool on all platforms but I suspect it would.
On our campus, every known infection of the suspected wintrinoo was accompanied by a Back Orifice infection which may have been the way the program was inserted. This underscores the threat of remote control trojans and their ability to totally compromise any Windows machine.
A search of the executable using the unix strings command revealed text such as: