[Snort-sigs] Beta rule for detecting DoomJuice infected hosts

Brian Eckman eckman at ...2044...
Mon Feb 9 14:43:14 EST 2004

Untested as of yet. Should work (?). Requires Snort 2.1 or newer, due to 
use of the threshold option.

alert tcp $HOME_NET any -> any 3127 (msg:"DoomJuice Infected Host"; 
flags: S; window: 8760; sid:123456789; threshold: type limit, track 
by_src, count 1, seconds 30 ; reference:url,www.lurhq.com/mydoom-c.html; 
classtype:attempted-dos; rev:1;)

Sid: 123456789 (modify as appropriate)

Summary: This event is triggered when a host on the local network is 
trying to spread the DoomJuice worm. It uses threshold to make sure that 
only one alert is generated each 30 seconds.

Impact: DoomJuice-infected hosts create a lot of flow traffic that may 
overwhelm network infrastructure. They launch a Denial of Service attack 
at www.microsoft.com and try to spread by trying to connect to 3127/tcp 
on random destination IP addresses. It also leaves the MyDoom backdoor 
port of 3127/tcp open for others to abuse it.

Detailed Information:
Requires Snort 2.1 or higher due to use of threshold. You really don't 
want to use this without the threshold, as each infected host could 
easily trigger dozens of alerts every second.

The Doomjuice worm always uses TCP Window size of 8760 in its SYN packet 
to 3127/tcp, so it becomes easy to detect.

Affected Systems:
Windows computers already infected with the MyDoom worm.
Attack Scenarios:

Ease of Attack:
Simple. This is a worm that is active in the wild.
False Positives:
None known
False Negatives:
None known

Corrective Action:
Remove the worm from the computer.
Brian Eckman, University of Minnesota
Additional References:

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the Snort-sigs mailing list