Corrections to San Diego Union Tribune article

• There were over 100 Sun Solaris systems compromised at the UW in August which are believed to be associated with trinoo/TFN activity, but only 27 were still under the attacker's control and were used in the attack on the University of Minnesota in August (the rest had already been found, taken off the network, and cleaned up).

• The "problem" with determining who is the "victim" and who is the "attacker" is a function of the distributed denial of service attacks being a two-phase attack. It all depends on how you look at it:
  1. A large number of systems are first compromised to be used as handlers and agents in a distributed network. These are "victims" of remote root compromise, by an "attacker" who breaks in to them. The ease of compromising thousands of systems is the fundamental problem with distributed attacks.

  2. Once a distributed DoS network has been set up, it is used to attack one or more sites who are now "victims" of the denial of service, and see the previously compromised systems as the "attackers".

• The trinoo and TFN programs themselves only make efforts to conceal communication between the attackers, the handler systems, and the agent systems. On the computers that are running the handlers and agents, standard "root kits" are used to conceal the attackers' login session, running programs, files, and network connections from the administrators of the systems. This is just another part of the initial intrusions that set up the distributed network and doesn't have anything directly to do with trinoo or TFN.