[Snort-sigs] Beta rule for detecting DoomJuice infected hosts
Kevin L. Shaw
kevin.shaw at ...2216...
Tue Feb 10 07:52:01 EST 2004
I'm still new to putting signatures up for SourceFire sensors. If
anyone uses them; could they point me to the right options or
documentation I can read to properly implement this signature on them
(my test sensors first of course!) please?
From: Brian Eckman [mailto:eckman at ...2044...]
Sent: Monday, February 09, 2004 5:43 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Beta rule for detecting DoomJuice infected hosts
Untested as of yet. Should work (?). Requires Snort 2.1 or newer, due to
use of the threshold option.
alert tcp $HOME_NET any -> any 3127 (msg:"DoomJuice Infected Host";
flags: S; window: 8760; sid:123456789; threshold: type limit, track
by_src, count 1, seconds 30 ; reference:url,www.lurhq.com/mydoom-c.html;
Sid: 123456789 (modify as appropriate)
Summary: This event is triggered when a host on the local network is
trying to spread the DoomJuice worm. It uses threshold to make sure that
only one alert is generated each 30 seconds.
Impact: DoomJuice-infected hosts create a lot of flow traffic that may
overwhelm network infrastructure. They launch a Denial of Service attack
at www.microsoft.com and try to spread by trying to connect to 3127/tcp
on random destination IP addresses. It also leaves the MyDoom backdoor
port of 3127/tcp open for others to abuse it.
Requires Snort 2.1 or higher due to use of threshold. You really don't
want to use this without the threshold, as each infected host could
easily trigger dozens of alerts every second.
The Doomjuice worm always uses TCP Window size of 8760 in its SYN packet
to 3127/tcp, so it becomes easy to detect.
Windows computers already infected with the MyDoom worm.
Ease of Attack:
Simple. This is a worm that is active in the wild.
Remove the worm from the computer.
Brian Eckman, University of Minnesota
OIT Security and Assurance
University of Minnesota
"There are 10 types of people in this world. Those who
understand binary and those who don't."
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs