[Snort-sigs] Beta rule for detecting DoomJuice infected hosts

Kevin L. Shaw kevin.shaw at ...2216...
Tue Feb 10 07:52:01 EST 2004

I'm still new to putting signatures up for SourceFire sensors.  If
anyone uses them; could they point me to the right options or
documentation I can read to properly implement this signature on them
(my test sensors first of course!) please?


-----Original Message-----
From: Brian Eckman [mailto:eckman at ...2044...] 
Sent: Monday, February 09, 2004 5:43 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Beta rule for detecting DoomJuice infected hosts

Untested as of yet. Should work (?). Requires Snort 2.1 or newer, due to
use of the threshold option.

alert tcp $HOME_NET any -> any 3127 (msg:"DoomJuice Infected Host"; 
flags: S; window: 8760; sid:123456789; threshold: type limit, track 
by_src, count 1, seconds 30 ; reference:url,www.lurhq.com/mydoom-c.html;

classtype:attempted-dos; rev:1;)

Sid: 123456789 (modify as appropriate)

Summary: This event is triggered when a host on the local network is 
trying to spread the DoomJuice worm. It uses threshold to make sure that

only one alert is generated each 30 seconds.

Impact: DoomJuice-infected hosts create a lot of flow traffic that may 
overwhelm network infrastructure. They launch a Denial of Service attack

at www.microsoft.com and try to spread by trying to connect to 3127/tcp 
on random destination IP addresses. It also leaves the MyDoom backdoor 
port of 3127/tcp open for others to abuse it.

Detailed Information:
Requires Snort 2.1 or higher due to use of threshold. You really don't 
want to use this without the threshold, as each infected host could 
easily trigger dozens of alerts every second.

The Doomjuice worm always uses TCP Window size of 8760 in its SYN packet

to 3127/tcp, so it becomes easy to detect.

Affected Systems:
Windows computers already infected with the MyDoom worm.
Attack Scenarios:

Ease of Attack:
Simple. This is a worm that is active in the wild.
False Positives:
None known
False Negatives:
None known

Corrective Action:
Remove the worm from the computer.
Brian Eckman, University of Minnesota
Additional References:

Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list