Detecting DoomJuice Worm on Your Network

Brian Eckman eckman at umn.edu
Mon Feb 9 22:06:26 GMT 2004


All,

In case you were looking for a way to detect DoomJuice-infected hosts on 
your network, hopefully this saves you a few minutes...

It is most certainly in the wild. We have seen several hosts on campus 
get infected with it.

KEY FACTS
---------
TCP Window size == 8760
Destination port == 3127/tcp

TCPDUMP
-------
(assumes sniffing interface is eth0 - modify as necessary)
tcpdump -n -i eth0 -S 'tcp and dst port 3127 and tcp[14:2] = 8760 and 
tcp[13] = 2'

or, better yet:

tcpdump -n -i eth0 -S 'tcp and dst port 3127 and tcp[14:2] = 8760 and 
tcp[13] = 2 and (src net xxx.xxx.xxx.xxx/xx or src net 
xxx.xxx.xxx.xxx/xx or src net xxx.xxx.xxx.xxx/xx)'


(and just put in your networks as src net)

and, perhaps the best (create an executable file, modify path and 
networks and interface. Make sure the entire foreach statement - 
everything before echo $i - is all on one line):

#!/usr/bin/tcsh

foreach i ( `tcpdump -n -i eth0 -c 200 '( src net xxx.xxx.xxx.xxx/xxx or 
src net xxx.xxx.xxx.xxx/xx or src net xxx.xxx.xxx.xxx/xx ) and tcp and 
dst port 3127 and tcp[14:2] = 8760 and tcp[13] = 2' | awk '{ print $2 }' 
| cut -d '.' -f '1-4' | sort -r | uniq -c | sort -nr | awk '{ if ( $1 > 
10 ) print $2 }'` )

echo $i
end

exit 0


(grab 200 packets that match that criteria, show me only those that sent 
more than 10 of those packets, sort them by IP, etc.)

NOTE: If you want to catch this in Snort, make sure only to alert on 
each 5,000 or so packets!


URLs
http://www.lurhq.com/mydoom-c.html
http://www.sarc.com/avcenter/venc/data/w32.hllw.doomjuice.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101002
http://www.sophos.com/virusinfo/analyses/w32doomjuicea.html

Brian
-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."



More information about the unisog mailing list