Educause Security Discussion mailing list archives
Detecting DoomJuice Worm on Your Network
From: Brian Eckman <eckman () UMN EDU>
Date: Mon, 9 Feb 2004 16:08:45 -0600
All, In case you were looking for a way to detect DoomJuice-infected hosts on your network, hopefully this saves you a few minutes... It is most certainly in the wild. We have seen several hosts on campus get infected with it. KEY FACTS --------- TCP Window size == 8760 Destination port == 3127/tcp TCPDUMP ------- (assumes sniffing interface is eth0 - modify as necessary) tcpdump -n -i eth0 -S 'tcp and dst port 3127 and tcp[14:2] = 8760 and tcp[13] = 2' or, better yet: tcpdump -n -i eth0 -S 'tcp and dst port 3127 and tcp[14:2] = 8760 and tcp[13] = 2 and (src net xxx.xxx.xxx.xxx/xx or src net xxx.xxx.xxx.xxx/xx or src net xxx.xxx.xxx.xxx/xx)' (and just put in your networks as src net) and, perhaps the best (create an executable file, modify path and networks and interface. Make sure the entire foreach statement - everything before echo $i - is all on one line): #!/usr/bin/tcsh foreach i ( `tcpdump -n -i eth0 -c 200 '( src net xxx.xxx.xxx.xxx/xxx or src net xxx.xxx.xxx.xxx/xx or src net xxx.xxx.xxx.xxx/xx ) and tcp and dst port 3127 and tcp[14:2] = 8760 and tcp[13] = 2' | awk '{ print $2 }' | cut -d '.' -f '1-4' | sort -r | uniq -c | sort -nr | awk '{ if ( $1 > 10 ) print $2 }'` ) echo $i end exit 0 (grab 200 packets that match that criteria, show me only those that sent more than 10 of those packets, sort them by IP, etc.) NOTE: If you want to catch this in Snort, make sure only to alert on each 5,000 or so packets! URLs http://www.lurhq.com/mydoom-c.html http://www.sarc.com/avcenter/venc/data/w32.hllw.doomjuice.html http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101002 http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota "There are 10 types of people in this world. Those who understand binary and those who don't." ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Detecting DoomJuice Worm on Your Network Brian Eckman (Feb 09)