--
Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS
Trin00\:Attacker to Master default startup password";flags: A+;
content:"betaalmostdone"; reference:arachnids,197;
classtype:attempted-dos; sid:233; rev:1;) 

--
Sid:
233

--
Summary:
The default password ("betaalmostdone") for the trin00 master daemon
was detected in traffic destined for the default port of the trin00 DDoS suite.

--
Impact:
System Compromise and/or Denial of Service.

--
Detailed Information:
Trin00 is a Distributed Denial of Service tool suite that uses a client/server 
architecture.  The first step towards using Trin00 is to create a master daemon.  
The master daemon is used to control the army of trin00 clients.  To give the 
attacker a sense of security, the master daemon requires a password before commands 
may be executed.  The default password for the most recent release is
"betaalmostdone".

--
Attack Scenarios:
As part of a large scale attack against a machine or a network, an
attacker will compromise large numbers of machines which will form the
army that the trin00 master daemon will command.  The master daemon
typically instructs the clients to send a considerable amount of packets to
a set of victim hosts.  If the traffic is sufficient, the victim
machines will become resource deprived.

--
Ease of Attack:
Medium.  Use of this tool requires a compromised system from which to
to run (unless you choose to just run it on your own machine).  Once a
machine has been comprimsed, all that is required to become part of
the trin00 network are proper permissions and a network connection.

--
False Positives:
Rare.  The authentication for the master daemon is fairly simple.
This, in addition to the fact that communication on a high port like
this is not very common, makes this rule fairly tight.

--
False Negatives:
Fairly common.  Since one of the ideas behind the password was to
prevent "owned" machines from being "re-owned", a common practice was
to change the default password.

--
Corrective Action:
Disconnect your machine(s) from the network immediately.  Attempt to
determine if your machine was being used as part of a trin00 network.
This may be difficult, given that the system has likely been
compromised and had a root kit installed.   

--
Contributors:
Warchild <warchild@spoofed.org>	Initial Research
Josh Gray	Edits

-- 
Additional References:
http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
http://staff.washington.edu/dittrich/misc/ddos/
http://www.sans.org/newlook/resources/IDFAQ/trinoo.htm
