How They Talk
Trinoo: attacker uses TCP; masters and daemons use UDP; password authentication.
TFN: attacker uses shell to invoke master; masters and daemons use ICMP ECHOREPLY.
Stacheldraht: attacker uses encrypted TCP connection to master; masters and daemons use TCP and ICMP ECHO REPLY; rcp used for auto-update.