Please Wait。。。




Virus Activities

SIMCommander K-SOC Advisory

Subject: Create Intelligent Abnormal Behavior Detection Rule to Prevent Conficker Worm

Date: 2009-04-10

Download: Download pdf version here

To create intelligent Abnormal Behavior Detection rule to prevent Conficker worm,  first you have to define the parameters according to your enterprise security policy or requirements. The following is an example of how K-SOC detect Conficker Worm by the abnormal behavior detection rule.





The abnormal event used in this case:

AntiVirus database update failed


The number of Administration Kit servers with ‘AntiVirus database update failed’ is considered as abnormal:



Timeout value of the detection:

90 minutes


The risk level before the abnormal situation happened:



The risk level after the abnormal situation happened:



After defined the criteria, the next step is to following the procedures below to create the rule in K-SOC:


1 Launch the K-SOC console and click the Alert Configuration

2 Create a Network Object Administration Kit Servers. Then, you can input all the Administration Kit servers IP address to the object.

3 Create a new rule to detect the abnormal situation of ‘3 Administration Kit servers failed to update virus database’.

4 Create three states for this detection – the ‘update failed situation’ for the first, second, third and further Administration Kit servers. The first two states of the State Score is assigned to ‘2’ and the last State Score is assigned to ‘7’.


After created the States, the next step is to create the Transitions as shown below. Input the parameter as defined the match count = 1 and the timeout = 5400, select the condition as action = ‘Signature/OS update failure’. Because we want to limit the detection only for Administration Kit Servers, so we have to add the condition Destination Group = ‘Administration Kit Servers’ where this is the network object created in step 1. In the second and third Transition, we have to add the condition ‘Destination IP address’ is ‘not in previous Dest IP’ to differentiate the same Administration Kit Servers sending multiple update failed events.

6 After completed the above steps, you can be able to see the following analysis rule. The last step is to save this rule to take effect.




After defined the correlation rule, if you want to confirm the Conficker virus out of the network, you can perform the following steps.

1 By Query The purpose of query is to confirm if any computer detected the Conficker worm appeared in the network. You can launch the Query view in the K-SOC console and search for the computers with the virus ‘Net-Worm.Win32.Kido’ or ‘Net-Worm.Win32.Kido.bt’ or ‘Net-Worm.Win32.Kido.dv’ or ‘Net-Worm.Win32.Kido.fx’ detected

2 By Report You generate the report ‘AntiVirus Client Status Report’ from the K-SOC to have the overview picture of which computers are using outdated virus database. According to the Kaspersky Viruslist information, the last Conficker worm information is added to the Kaspersky virus database on 16 March, 2009. That means, all the computers using the virus database older than 16 March, 2009, they are in the risk of Conficker (aka Kido) worm infection. You have to force the update from the Kaspersky Administration Kit to those computers to prevent Conficker worm infection.


Home | Contact Us | Privacy Policy | Term of Use | Home | Contact Us | Privacy Policy | Term of Use | Copyright © 2001-2009 SIMCommander All Rights Reserved.