[Snort-sigs] Beta rule for detecting DoomJuice infected hosts
eckman at ...2044...
Mon Feb 9 14:43:14 EST 2004
Untested as of yet. Should work (?). Requires Snort 2.1 or newer, due to
use of the threshold option.
alert tcp $HOME_NET any -> any 3127 (msg:"DoomJuice Infected Host";
flags: S; window: 8760; sid:123456789; threshold: type limit, track
by_src, count 1, seconds 30 ; reference:url,www.lurhq.com/mydoom-c.html;
Sid: 123456789 (modify as appropriate)
Summary: This event is triggered when a host on the local network is
trying to spread the DoomJuice worm. It uses threshold to make sure that
only one alert is generated each 30 seconds.
Impact: DoomJuice-infected hosts create a lot of flow traffic that may
overwhelm network infrastructure. They launch a Denial of Service attack
at www.microsoft.com and try to spread by trying to connect to 3127/tcp
on random destination IP addresses. It also leaves the MyDoom backdoor
port of 3127/tcp open for others to abuse it.
Requires Snort 2.1 or higher due to use of threshold. You really don't
want to use this without the threshold, as each infected host could
easily trigger dozens of alerts every second.
The Doomjuice worm always uses TCP Window size of 8760 in its SYN packet
to 3127/tcp, so it becomes easy to detect.
Windows computers already infected with the MyDoom worm.
Ease of Attack:
Simple. This is a worm that is active in the wild.
Remove the worm from the computer.
Brian Eckman, University of Minnesota
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
More information about the Snort-sigs