Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Detecting DoomJuice Worm on Your Network

From: Brian Eckman <eckman () UMN EDU>
Date: Mon, 9 Feb 2004 16:08:45 -0600
All,

In case you were looking for a way to detect DoomJuice-infected hosts on
your network, hopefully this saves you a few minutes...

It is most certainly in the wild. We have seen several hosts on campus
get infected with it.

KEY FACTS
---------
TCP Window size == 8760
Destination port == 3127/tcp

TCPDUMP
-------
(assumes sniffing interface is eth0 - modify as necessary)
tcpdump -n -i eth0 -S 'tcp and dst port 3127 and tcp[14:2] = 8760 and
tcp[13] = 2'

or, better yet:

tcpdump -n -i eth0 -S 'tcp and dst port 3127 and tcp[14:2] = 8760 and
tcp[13] = 2 and (src net xxx.xxx.xxx.xxx/xx or src net
xxx.xxx.xxx.xxx/xx or src net xxx.xxx.xxx.xxx/xx)'


(and just put in your networks as src net)

and, perhaps the best (create an executable file, modify path and
networks and interface. Make sure the entire foreach statement -
everything before echo $i - is all on one line):

#!/usr/bin/tcsh

foreach i ( `tcpdump -n -i eth0 -c 200 '( src net xxx.xxx.xxx.xxx/xxx or
src net xxx.xxx.xxx.xxx/xx or src net xxx.xxx.xxx.xxx/xx ) and tcp and
dst port 3127 and tcp[14:2] = 8760 and tcp[13] = 2' | awk '{ print $2 }'
| cut -d '.' -f '1-4' | sort -r | uniq -c | sort -nr | awk '{ if ( $1 >
10 ) print $2 }'` )

echo $i
end

exit 0


(grab 200 packets that match that criteria, show me only those that sent
more than 10 of those packets, sort them by IP, etc.)

NOTE: If you want to catch this in Snort, make sure only to alert on
each 5,000 or so packets!


URLs
http://www.lurhq.com/mydoom-c.html
http://www.sarc.com/avcenter/venc/data/w32.hllw.doomjuice.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101002
http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: