“A new distributed denial of service tool has been discovered in
the wild and is spreading, according to Internet Security Systems
Inc.’s X-Force service. Reports of up to 400 hosts running the
“Trinity v3” agent have been reported, including 50 compromised IRC
(Internet Relay Chat) hosts, said Chris Rouland, director of
X-Force. Rouland said no high-profile commerce sites have been
reported down yet, but “one or two” universities have been
affected.”
“Using chat for attacks is a trend; chat in general is
Internet-risky behavior,” Rouland said. “It’s fairly anonymous for
an attacker to go onto a chat system and launch attacks, and anyone
who can access this new chat room that Trinity v3 creates can
launch further attacks.”
“Trinity v3 so far has been seen on Linux machines. The
binary code is installed on a Linux server at /usr/lib/idle.so.
When idle.so is launched, it connects to one of 11 Undernet IRC
servers and sets a nickname for itself (which combines the first
six letters of the host with three random digits). The code
then joins the chat room #b3eblebr0x. Once there, the code waits
for commands to attack either individual Trinity agents or to
attack all agents on the channel.”