The CERT/CC is part of the Software Engineering Institute at Carnegie Mellon University Improving Security
CERT® Coordination Center

 Home | What's New | FAQ | Site Contents | Contact Us | SEARCH

About Us | Alerts | Education and Training | Events | FTP Archives | Improving Security | Other Resources | Reports | Survivability Research

CERT® Incident Note IN-2000-01

Windows Based DDOS Agents

Date: Monday February 28, 2000
Description:

We have received reports indicating intruders are beginning to deploy and utilize windows based denial of service agents to launch distributed denial of service attacks. On Feburary 16th we began receiving reports of a program called "service.exe" that appears to be a Windows version of trinoo. This program listens on UDP port 34555. More details about this tool are available on Gary Flynn's web site at:

http://www.jmu.edu/info-security/engineering/issues/wintrino.htm
We have seen two almost identical versions of the "service.exe" program to date (they vary by 12 bytes but produce the same results for strings(1)). The binaries we have seen have one of the following MD5 checksums:

MD5 (service.exe) = 03fe58987d7dc07e736c13b8bee2e616
MD5 (service.exe) = 1d45f8425ef969eba40091e330921757

In at least one incident, machines runing the "service.exe" program were also running backoriface. We have also received reports of administrators finding other "remote administration" intruder tools on machines that were running "service.exe".

Note that the tool TFN2K, first released in December 1999, will run on Windows NT. The existance of distributed denial of service tools for Windows platforms is not new; however, we are beginning to receive reports of these tools being installed on compromised systems.

Impact:

Windows machines have been used as intermediaries in various types of denial of service attacks for years; however, the development and deployment of the technology to use Windows machines as agents in a distributed denial of service attacks represents an overall increase in the threat of denial of service attacks.

Solution:

Standard safe computing practices will prevent intruders from installing the service.exe program on your machine(s).

  • Don't run programs of unknown origin, regardless of who sent you the program. Likewise, don't send programs of unknown origin to your friends or coworkers simply because they are amusing -- it might be a Trojan horse.
  • Before opening any email attachments, be sure you know what the source of the attachment was. It is not enough that the mail originated from an address you recognize. The Melissa virus spread precisely because it originated from a familiar address. Malicious code might be distributed in amusing or enticing programs. If you must open an attachment before you can verify the source, do so in an isolated environment. If you are unsure how to proceed, contact your local technical support organization.
  • Be sure your anti-virus software is, and remains, up-to-date.
  • Some products, such as Microsoft Office, Lotus Notes and others, include the ability to execute code embedded in documents. For any such products you use, disable the automatic execution of code embedded in documents. For example, in Microsoft Word 97, enable the "Macro Virus Protection" feature by choosing Tools->Options->General and selecting the appropriate checkbox. In Lotus Notes 4.6, set a restrictive Execution Control List (ECL) by setting the options found in File->Tools->User Preferences->Security Options to restrict the execution of code to trusted signers. For other products, consult your documentation.
  • Use data-integrity tools. Data-integrity tools use strong cryptography to help you determine which files, if any, may have changed on a system. This may be crucial information to determine the most appropriate response to a security event. The use of these tools requires that they be installed before a security event has taken place.
  • Avoid the use of MIME types that cause interpreters or shells to be invoked.
  • Be aware of the risks involved in the use of "mobile code" such as Active X, Java, and JavaScript. It is often the case that electronic mail programs use the same code that web browsers use to render HTML. Vulnerabilities that affect ActiveX, Java, and Javascript often are applicable to electronic mail as well as web pages.

Author: Jed Pickel

This document is available from: http://www.cert.org/incident_notes/IN-2000-01.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT® Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.