December 12, 2000, 1:21 PM — Viruses are nothing new; they've been a serious problem for Windows users for many
years. But this February was marked by the appearance of a new virus that installs the
attack daemons, or zombies, used in distributed denial of service (DoS) attacks.
The new virus implements
four known distributed DoS zombies. trinoo listens
for commands from a master server, then sends floods of User Datagram Protocol (UDP)
packets at a victim. Receiving such floods of data from a single Windows system is not
too troublesome, but these attacks involve dozens or even hundreds of zombies.
The virus version of trinoo can be spread just by
opening email or email attachments, or by downloading and executing code from
questionable sources. Vendors were quick to respond with updates to their
virus-scanning signatures.
McAfee,
Trend Micro, and
Symantec all announced new
signatures within days of the discovery.
The earlier distributed DoS attacks used Linux and Unix systems as hosts. Since
there are so many Windows clients, and Windows is particularly vulnerable to viruses,
the exploitation of Windows machines by hackers in this way means that the potential
for more devastating attacks has emerged.
If you have antivirus software, make sure you download a recent update with the
latest virus signatures. If you don't use current antivirus software, consider getting
some. In the meantime, be on the lookout for unusual behavior, such as a sudden
increase in network activity, which could be caused by the daemon launching an attack.
If you see a sudden increase in traffic, disconnect your system from the network or
the Internet until you can find and remove the daemon. According to
the Razor group at Bindview
Development, which makes a utility called
Zombie Zapper,
the trinoo trojan calls itself
two steps: First, using a registry editor, edit the key service.exe. Then locate the file
on your hard drive and delete it as well (but not
