[Dshield] DoomJuice traffic analysis

Pete Cap peteoutside at yahoo.com
Wed Feb 11 18:12:18 GMT 2004

I've been monitoring the networks for which I am responsible for DoomJuice activity.
If I understand it correctly, DoomJuice.A and .B both generate IP addresses to scan in the same way.  If the format is a.b.c.d then a is chosen from a large list; b and c are selected randomly; and then the worm "walks" d sequentially, looking for open port 3127 (among other ports).
So, what I should see is x.x.x.0, x.x.x.1, x.x.x.2,...,x.x.x.254 (it skips .255), correct?
Oddly enough, this isn't what I'm seeing, rather, more along the lines of x.x.1.x, x.x.2.x, x.x.3.x, etc.  All in all, most of the netspace (x.x.0.0 -> x.x.255.255) is being probed but from multivariate sources.  It wouldn't make sense to spoof the IP address if the worm is looking for replies, would it?

Second, if a network were being walked, then you'd expect a resulting histogram to be flat, right?  Well, even if there were noise, you definately wouldn't see any IPs which were not probed--but I am seeing a few (x.x.x.2, x.x.x.8, whatever) which were untouched in the past 24 hours.  All in all we got about 10,000 hits so this rather stands out.
I seem to recall that MyDoom wouldn't send itself to certain domains (e.g. none of the antivirus types, no .edu, etc.).  Are DoomJuice/Deadhat savvy enough to avoid those domains as well?
Also...what are the retransmission rates for these bugs?
Do they scan sequentially every second?  Every .10 seconds?  Would they wait a day or so to come back to an IP address?  Does anyone know?
For the moment I'm ready to tell my bosses that it is unlikely that we're seeing any DoomJuice/DeadHat activity despite the fact that we're seeing lots of scanning activity on 3127.  But this could change if I knew more about the way they scanned.

Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online

More information about the list mailing list