DiamondCS Win.Trinoo Server Sniper
==================================

Copyright (C) 2000, Diamond Computer Systems Pty. Ltd.
Put yourself in control with DiamondCS
http://www.diamondcs.com.au


January, 2000 - Headlines of the Technology sections of the worlds newspapers
became alive with "Distributed Terror on the Internet" as a new breed of trojan
begins causing havoc. These trojans, known as Distributed Denial-of-Service Remote Access
Trojans (DDoS.RAT), allow a hacker and his single "master" computer to rapidly send
commands to his infected "slave" machines, which in turn process these commands and
act accordingly. This results in dozens, sometimes hundreds of machines all being
used to attack single targets, often drowning them with amounts of data so massive,
that all systems become locked as they are fully consumed - ala Denial-of-Service.
Distributed Denial-of-Service attacks are signifigantly harder to combat, and some
of the biggest networks on the planet fell victim to this form of attack this month.
Some sites, including Yahoo.com's Internet Service Provider recorded traffic in excess
of 1 gigabyte per second. There are not many systems around that can handle this load.

At the time of this writing, three are known to exist - Tribe Flood Network (TFN),
Trinoo, and Stacheldraht (German for "Barbed Wire"). All three run on Unix systems,
and take advantage of the IP address spoofing ability that Unix gives them (making
it even harder for the victim to tell where the packets are really coming from). In 
February, Trinoo was ported to Windows, and Diamond Computer Systems jumped on it.

The DiamondCS Win.Trinoo Server Sniper is the first scanner in the world released 
to combat the Windows Trinoo threat. It can both ping (test for existance) and kill
(remove) the Win.Trinoo trojan server remotely. As the Trinoo trojan uses the UDP
transport protocol, the Trinoo Server Sniper is a high-speed scanner, which can scan
entire subnets (254 machines) in around 4 seconds.


Questions, problems, suggestions:
 support@diamondcs.com.au


Many thanks to Scott Blake of BindView Corp. (www.bindview.com) for the early submission
of the Win.Trinoo trojan server to our testing lab which made the development of this utility possible. 