[DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?

Al Reust areust at comcast.net
Tue Feb 10 00:47:41 GMT 2004

This Interesting

Thursday, I saw an slight increase from 5 snort sensors (different DMZ's) 
with Scan Proxy (1080) and Scan Squid Proxy (3128).  Same IP's for both 
ports. So as this peaked my interest, when I looked showed no payloads. 
This I presumed was due to the "lack" of MY doom "NOT" being present.. It 
was a scan to see who would respond. Those scans (IP's) were then added to 
the ACL's (reject). As I looked this morning there was an increase in 
traffic from New IP's

The source port seemed random TCP port and the destination TCP port was 
targeted to 3128 or 1080 the packets appear identical.

I hate word wrap but here goes.

<Quote from Snort>

Meta    ID #    Time    Triggered Signature
         1 - 44077       2/9/2004 4:46   [snort] SCAN Squid Proxy 
         Sensor  name    interface       filter
                 MERIDIAN:DevicePacket (trimed)  DevicePacket (trimed)    none
         Alert     none

IP      source addr           dest addr                 Ver     Hdr Len 
TOS     length  ID      flags   offset  TTL     chksum    xxx.xxx.xxx.xxx 
4       5       0       52      40273   0       0       115     18521
         FQDN    Source Name     Dest. 
                 p50803625.dip.t-dialin.net       Unable to resolve 
         Options     none 

TCP     source  dest    R       R       U       A       P       R       S 
     F       seq #   ack     offset  res     window  urp     chksum
         port      port          1       0       R       C       S       S 
      Y       I
                                         G       K       H       T       N 
         2221    3128                                                    X 
              3750972217      0       8       0       32767   0       36193
         Options         code    length  data 

                 #1      MSS     2       05A0 

                 #2      NOP     0 

                 #3      WS      1       0 

                 #4      NOP     0 

                 #5      NOP     0 

                 #6      SACKOK  0 

<End Quote>

At 07:46 PM 2/9/2004 +0100, you wrote:
>I've observed a rapid increase in 3127/tcp scans from seemingly
>random IP's. They're sequentially scanning our IP's, bottom-up.
>These seem to match Kasperky's Doomjuice (published ~ 2 hours ago):
>Details, incl. address generation algorithm:
>Supposedly it also causes a DDoS agains Microsoft.
>Note that this one seems to differ from Symantec's Deadhat:
>According to Symantec's description, Deadhat scans 3127/tcp, 3128/tcp
>and 1080/tcp (I've seen one or two of those).
>Erik van Straten
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

More information about the list mailing list