Example of Computer Worms Detection

Nimda, an incredibly sophisticated worm that made headlines worldwide, is taken as an example. Nimda is the first worm to modify existing web sites to start offering infected files for download by using Unicode exploit to infect IIS web server. It is the first worm to use normal end user machines to scan the vulnerable web sites. This technique enables Nimda to easily infect intranet web sites located behind firewalls.

According to the dynamic behavior such as symptoms and carrier from BDML of worm in Figure 3.3, we may suppose after case diagnosis the Nimda concept tree is created in Figure 5.2 and can be transformed into acquisition table like Table 5.1. The three attributes, including the name of the e-mail attachment used by worms, the medium used by worms to upload themselves (the worm body), and the name of the file used by worms to start execution on servers, are used to recognize Nimda in this example. After constructing the acquisition table, the AOT table is needed to record the relative importance of each attribute to the Nimda object. Suppose Nimda is the

latest worm occurred in the recent cyber world, a worm domain expert might not have strong confidence to decide the relative importance of each attribute because the variants of Nimda may evolve quickly and the original ordering value needs to be modified in a short period. Hence, the expert can easily identify the importance of each attribute to Nimda1 and Nimda2 in each time interval according to the AST table with two time intervals, and then assign the first interval a signal which equals one in Table 5.2. Because the second time interval is pre-specified, the initial signal value is zero. Next the entropy weight of each attribute is first calculated to obtain the ordering value according to the AST. Since it is time irrelevant during the initial step of construction, the ordering value is “2” after calculation while entropy equals one because there is a positive instance and a negative instance. Therefore the initial AOT is constructed as shown in Table 5.3.

Nimda

Mail_Attachment Upload_Medium Excuted_File_Name

Symptoms Carrier

Readme.exe puta!!.scr Admin.dll cool.dll

Figure 5.2: Example of Nimda Concept Tree

Table 5.1: An Example of Nimda acquisition table

Attribute/ Object Nimda

Mail_Attachment Readme.exe Upload_Medium Admin.dll Executed_File_Name Riched20.dll

Table 5.2: An Example of Nimda AST

Attribute/ Object Nimda1 Nimda2

Mail_Attachment 1 0

Upload_Medium 1 0

Executed_File_Name 1 0

Table 5.3: An Example of Nimda AOT

Attribute/ Object Nimda Mail_Attachment 2

Upload_Medium 2 Executed_File_Name 2

Having both acquisition table and AOT, eight embedded rules are generated using EMCUD and some of them have low CF such as rule R1: ‘IF Not Mail_Attachment = Readme.exe and Upload_Medium = Admin.dll and Executed_File_Name = Riched20.dll Then Nimda’ with CF = 0.67. Therefore, suppose that the constructing worm KBS receives several worm instances in the real world, the R₁ rule above is always fired by VODKA during a period, and suppose in the last two intervals the embedded rule R₂: ‘IF Not Mail_ Attachment = Readme.exe and Not Upload_Medium = Admin.dll and Not Executed_File_ Name = Riched20.dll Then Nimda’ with CF = 0.4 is fired by VODKA, the AST to record the evolutional trend is shown in Table 5.4.

In Table 5.4, the Mail_Attachment attribute is calculated by entropy-based method, and the entropy weight may lower the value because of its’ decreasing trend in interval 6 and 7. Finally, the attribute is assigned a new ordering value equaling 1 since it is very possible to change again over time, subsequently, ordering value 3 is assigned for both attributes Upload_Medium and Excuted_File_Nam according to the AST. Therefore, the rule which has CF value equals 0.67 could be leveled up to 0.74.

Moreover, several new attributes’ values are learned by VODKA with Mail_Attachment = puta!!.scr in R1 ,then a new variant Nimda.B can be found in Table 5.5 and can be integrated into Table 5.6, and also an AOT is updated as Table 5.7, then after merge procedure, the ontology is constructed as shown in Figure 5.3.

Table 5.4: An Example of Nimda AST

Attribute/ Object N1 N2 N3 N4 N5 N6 N7

Mail_Attachment 1 0 0 1 0 0 0

Upload_Medium 1 1 1 1 0 0 0

Executed_File_Name 1 1 1 0 1 0 0

Table 5.5: An Example of Nimda acquisition table

Attribute/ Object Nimda.A Nimda.B Mail_Attachment Readme.exe puta!!.scr

Upload_Medium Admin.dll cool.dll

Executed_File_Name Riched20.dll httpodbc.dll

Table 5.6: An Example of Nimda acquisition table

Attribute/ Object Nimda

Mail_Attachment {Readme.exe; puta!!.scr }

Upload_Medium {Admin.dll; cool.dll}

Executed_File_Name {Riched20.dll; httpodbc.dll }

Table 5.7: An Example of Nimda AOT

Attribute/ Object Nimda Mail_Attachment 1

Upload_Medium 3 Executed_File_Name 3

Nimda

HAS:1 HAS:2 HAS:2

IS IS

Mail_Attachment Upload_Medium Excuted_File_Name

Readme.exe

Admin.dll IS

puta!!.scr

IS cool.dll

Figure 5.3: Example of Nimda Ontology

With the accumulated inference logs, VODKA can learn variants, and the time interval tracing oriented mechanism can be also used to incrementally update the knowledge to adapt the changing environment over time. Suppose VODKA learns a new attribute values, including Mail_Attachment = sample.exe, Upload_Medium = cool.dll and Executed_File_Name = httpodbc.dll in R2 while the rule R2 has already been fired in each time interval in a short period, another variant Nimda.E could be found. Finally the updated tables are shown in Table 5.8 and Table 5.9 and meanwhile, the ontology is also updated as Figure 5.4. Finally, the system will be set up in the current environment and guide the people who are not familiar in the domain by giving them a picture of worms for helping further preventing or removing the malicious worms.

Table 5.8: An example of Nimda acquisition table

Attribute/ Object Nimda

Mail_Attachment {Readme.exe; puta!!.scr; sample.exe}

Upload_Medium {Admin.dll; cool.dll}

Executed_File_Name {Riched20.dll; httpodbc.dll }

Table 5.9: An example of Nimda AOT

Figure 5.4: Example of Nimda ontology