Stacheldraht is a similar tool which consists of a handler and
many agents. It communicates using TCP and ICMP, offers the same
attacks as TFN, and features encrypted sessions between the attacker and
the handlers.
Resolution
Although a distributed denial-of-service tool can be easily eradicated from a
single system, its presence is an indication of a much bigger problem.
The fact that it was installed on one system makes
it likely to be installed on many more systems. The entire network should
be scanned.
Furthermore, the presence of the tool means that the system was probably compromised.
Trinoo, TFN, and stacheldraht are often associated with breakins resulting from vulnerabilities
in Tooltalk,
Calendar Manager, amd, statd,
sadmind and
mountd,
but could have been put on the system no matter how the compromise occurred.
An infected system should be taken off the network until all vulnerabilities
have been corrected and the system has been inspected for other backdoors and
hacker trails.
To eradicate trinoo, TFN, or stacheldraht from a single system,
kill the process and delete the executable file from the system. The
processes have the following names by default, but the intruder could
easily have chosen a different name, or could even have hidden the
files and processes using a rootkit.
Trinoo
Master: master
Broadcast: ns
TFN
Client: tfn
Daemon: td
Stacheldraht
Handler: mserv
Agent: td
Where can I read more about this?
More information about trinoo and TFN can be found in the
X-Force
Alert and in
CERT Incident Note 99-07. Developments in the area
of distributed denial-of-service tools are reported in
CERT Advisories
99-17 and
2000-01. For detailed technical information, see David Dittrich's
papers on
trinoo,
TFN, and
stacheldraht,