Hacker Tool Targets Linux

Information technology managers said they're on guard against a new distributed denial-of-service attack tool called Trinity that preys on Linux servers and uses Internet Relay Chat channels to unleash IP packet floods on targeted host machines.

Like other distributed denial-of-service tools, such as Tribal Flood Network and Trin00, which were used in February in attacks on Web sites owned by eBay Inc., ETrade Group Inc., CNN and Yahoo Inc., Trinity must first be covertly installed on a compromised server. The server is then remotely controlled, together with a network of other compromised computers, to launch a packet flood against targeted machines.

Unlike previous attacks targeting Windows servers, Trinity uses Linux computers.

But analysts said the Trinity tool is more sophisticated because it lets attackers control the hacked machines through IRC channels or America Online Inc.'s ICQ chat service.

Matt Fahrner, who is manager of the network development group at Burlington Coat Factory Warehouse Corp. in Burlington, N.J., said his company doesn't allow IRC traffic through its firewall. But, he said, it's always on the alert for unneeded or default services that could pose a potential security risk.

"You are better [off] turning on services as you need them. Don't configure anything you don't need on Linux boxes, and don't let anything through the firewall that you don't need," said Fahrner, whose firm runs more than 1,000 Linux PCs and servers.

"The best way to deal with this in the short haul is to look for IRC traffic on outbound and make sure there is no connection to IRC chat sites so they can't initiate an attack even if they have compromised you," he said.

The incident-reporting portion of San Mateo-based's Web site has revealed that Undernet IRC operators have dissolved several chat rooms found to have been in active contact with infected hosts.

According to Chris Rouland, director of Atlanta-based Internet Security Systems Inc.'s SWAT team, the X-Force, at least 400 Linux computers - with IP addresses indicating they may be located mainly in the U.S., Romania and Australia - have already been compromised by several versions of Trinity.

Rouland said the Trinity attacks illustrate a larger concern about open-source operating systems such as Linux, which are highly available but can end up in the hands of inexperienced administrators who are unqualified to install and run them. He said it's only a matter of time before Trinity is revised to attack other platforms.

Internet Security Systems first learned of the Trinity distributed denial-of-service attack tool when it was recently brought to the attention of the Forum of Incident Response and Security Teams, an umbrella organization for security notification groups, by an unnamed educational institution that found some infected computers on its campus.

Kevin Schmidt, a campus network programmer at the University of California at Santa Barbara (UCSB), said attackers can hide their identities by relaying IRC traffic through compromised machines.

Schmidt said UCSB is defending against Trinity by scanning its network to detect new Linux operating system installations and to determine which ports are used on the machine for new services that could present a risk.

Schmidt said systems connecting to IRC channels without reason should raise red flags for IT managers.