My last mini project

7/29/2019 My last mini project

1/25

win32: kukacha / win32:

sality healer

Training Report

Submitted to: Submitted by:

Dept. of Computer Sciences, Navdeep Gaur

PMCE CSE V


2/25

2

win32: kukacha / win32:

sality healerA tool to recover files from removable storage

devices infected by strains of notorious win32:

sality and win32: kukacha like worms.

Navdeep Gaur

A brief report of the software tool developed during the six week practical training

received during the summer of 2012; for the partial completion of the degree course.


3/25

3

A C K N O W L E D G E M E N T

I take this opportunity to thank all those whose immense support in both technical and

moral terms made it a fulfilling experience.

Head of Department, Department of Computer science, PM College ofengineering, for the use of lab-time to experiment with the viruss behavior.

My fellow students for letting me tinker around with their pen drives StorageTech, the company, for allowing me to pursue a project of my own

undertaking.

I also thank them for allowing me to go and attend the CEP workshop organized

by DoMS IIT-D, midway between my training, letting me continue my project

without the necessity of physical attendance

I also thank the management for this wonderful learning opportunity.

Navdeep Gaur


4/25

4

C O M P A NY P R O F I L E

StorageTech has pioneered the growth of IT and IMS training in India. Keeping focus,

growth and competition in perspective, StorageTech has been able to set standards across

its offices by adopting practices based on quality, commitment, and the zeal to make

success a habit. Since its inception in the year 2006, StorageTech has gradually worked

towards becoming one of the top most players in the market today. With its rich experience

in the IT training services sector, it has been able to set high global practices that drives it

to building relationships with all those associated with it.

SERVICES OFFERED

StorageTech offers a broad range of project expertise, specializing in planning, designing,

engineering, constructing, monitoring and maintaining Data Centers, Networks, Data

Security, Data backup, Disaster Recovery and Storage Designs that integrate critical

infrastructure technologies.

StorageTech offers a range of services and specialize in the design and implementation of

storage solutions that integrate with existing infrastructures to meet existing and future

storage requirements. Our customers can choose from a wide range of solutions provides

by us, which make it easy to manage the growth of their requirements.

Corporate Training


5/25

5

Software Training Consultancy

SOLUTIONS OFFERED

Disaster Recovery Storage Designing Backup Solutions Network Designing Datacenter solutions

CORE TECHNOLOGIES

Solaris Unix Backup SAN


6/25

6

MOTIVATION FOR DEVELOPING THE TOOL

There had been a recurring problem of disappearing files from the flash drives of users of

the computer labs at PM group of institutions.

Apparently, this problem was caused by a viral infection; the malware* would hide all the

files on the removable media that was plugged into the infected machine*. Also, all the

directories were hidden and replaced by symbolic links to executables of the malware,

stored in system reserved folders of the disk drive.

As it was later discovered, the malware was a viral strain of the widespread notorious

win32: sality and win32: kukacha virus/worm bundle.

SOLUTION FOR THE VIRUS

The lab administrators after weeks of tinkering and experiment applied the virus fixes

provided by the antivirus vendors NOD32, Quickheal, AVG and the like.


7/25

7

REMAINING PROBLEM

The malware was thus removed, but the missing data posed a problem. Despite the fact

that the virus was now gone, even from the infected flash drives, the data and user files

were still not visible.

Disk usage information and unrestricted directory listings showed that the data was still

there but it was no longer visible.


8/25

8

Fig: 1

Above is a snapshot of the virtual machine on which the experimentation of the virus fix was

performed. Observe the hidden files in the folder, other- wise visible in listings.


9/25

9

The root of the problem was found to be the method that the virus strain used to propagate

itself on to other machines.

It would create infected links of the folders on the removable drives, hiding the original

ones, thereby convincing the unsuspecting user into clicking on to them.

The shortcuts were rigged with executables of the virus itself, which were in turn either

stored in RECYCLER or System Volume Information directories of the removable

storage devices.

The removal of these links could be performed by deleting them on an uninfected machine

and purging the appropriate directories, but the hidden files could not be brought back

even after making the file viewer show hidden files/ folders. It was because the virus not

only set active the hidden attribute of the contents of the infected drives, but it also set

the system attribute of those contents; thus, making the files unalterable by any existing

file attribute GUI utility supplied by the Windows XP framework.


10/25

10

THE SOLUTION

The system and hidden attributes of the files could, however, be unset using the MS-

DOS attrib utility.

This utility is still shipped with most windows distributions. Windows XP also comes

installed with attrib command.

The syntax used for the command is as depicted in the following illustration.

Fig 2: the contents are made visible all over again.


11/25

11

I NF O R M A T I O N ST O R A G E A ND B U SI NE SS

C O NT I NU I T Y

WH AT L I ES AT TH E H EART OF STORAG E MANAG EMENT AND WH AT MAKES I T SO CRUCI AL ?ESP ECI AL L Y TO COL L EG E STUDENTS AND L ECTURARS WH O USE COMP UTERS I N A SH ARED L AB .


12/25

12

INFORMATION STORAGE

Businesses use data to derive information that is critical to their day-to-day operations.

Storage is a repository that enables users to store and retrieve this digital data. So, do

University college goers.

STORAGE PRIMITIVES IN OUR SCENARIO

DATA:The files stored on the storage devices of our end users.

Devices:The external storage devices, including but not limited to: Pen-drives, memory-

cards, and External hard drives.

Downtime:The unavailability of access to saved files on these drives, and media.

Cause of downtime:Side effects of a virus infection


13/25

13

BUSINESS CONTINUITY

Business continuity entails preparing for, responding to, and recovering from a system

outage that adversely affects business operations. It involves proactive measures, such as

business impact analysis and risk assessments, data protection, and security, and reactive

countermeasures, such as disaster recovery and restart, to be invoked in the event of a

failure. The goal of a business continuity solution is to ensure the information availability

required to conduct vital business operations.

In technical terms,

Business continuity (BC) is an integrated and enterprisewide process that

includes all activities (internal and external to IT) that a business must perform

to mitigate the impact of planned and unplanned downtime

-- Ganesh Rajaratnam, Information Storage and Management

BUISINESS CONTINUITY IN OUR SCENARIO

Business continuity in our scenario would be: users of the system would get their files

back so that they could continue with their unfinished movie downloads, or other valuable

piece of work that was earlier disrupted.


14/25

14

HOW THIS SOLUTION WORKS?

Our program essentially uses the attrib utility to reset the hidden and system attributes

of the affected files.

In practice, it is not possible to alter a files attributes if the system attribute is somehow

set, thus, the system attribute must first be unset before setting or resetting any other

attributes.

On the other hand, the attrib utility cannot change the system attribute of a file whose

hidden attribute is already set.

Thus it is seemingly impossible if these attributes are unset one at a time if both are set to

begin with.

This program overcomes this glitch by exploiting another capability of the attrib program.

It is possible to specify more than one attribute operation in the single execution of attrib,

so if we are to unset both the system and hidden attribute in a single parsing, the

transition actually takes place.

It is, in fact, a built in capability of the mode-management in Microsofts systems, which

keeps users away from other system files (e.g.: IO.SYS. autoexec.bat, MSDOS.SYS, etc)


15/25

15

WIN32:SALITY / WIN32:KUKACHA HEALER: BETA VERSION

FILES:

healkukacha.batHolds the actual code and error handing methods.

SpecifyDriveHere.batThe user interface for the current system

Readme.txtThe initial instructions for the user

FEATURES

The tool accepts the drive letter and without any heed to the contents, unsets their

hidden and system attributes.


16/25

16

SUGGESTED IMPROVEMENTS

A review of the tool by some end users brought the following avenues for improvement:

User interface: the users would like to use a more laid back interface, with GUIcapability.

Robustness: the program still contains bugs because its still in development phase.


17/25

17

A P P E NDI X


18/25

18

PROGRAM LISTINGS


19/25

19


20/25

20


21/25

21

VIRUS PROFILE

Virus: Win32/Sality.AM

Encyclopedia entry

Updated: Apr 17, 2011 | Published: Jul 08, 2008

Aliases

Win32/Kashu.B(AhnLab)

Win32.Sality.NX(BitDefender)

Win32/Sality.W(CA)

Win32.Sector.5(Dr.Web)

Win32/Sality.NAO(ESET)

W32/Sality.AJ(Frisk (F-Prot))

Virus.Win32.Sality.y(Kaspersky)

W32/Sality.AE(McAfee)

W32/Sality.AO(McAfee)

W32/Smalltroj.DXSV(Norman)

W32/Sality-AM

(Sophos)

W32.Sality.AE(Symantec)

Win32.Sality.AK(VirusBuster)


22/25

22

AlertLevel: Severe

Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:

Definition: 1.133.411.0

Released: Aug 26, 2012

Detection initially created:

Definition: 1.45.287.0

Released: Oct 07, 2008
http://www.microsoft.com/security/portal/Definitions/ADL.aspx


23/25

23

TOOLS USED

Virtualization software: Sun Virtualbox

Sun VirtualBox is a collection of powerful virtual machine tools, targeting desktop

computers, enterprise servers and embedded systems. With VirtualBox, you can virtualize

32-bit and 64-bit operating systems on machines with Intel and AMD processors, either by

using hardware virtualization features provided by these processors or even entirely in

software, at your option. With VirtualBox, you can run unmodified operating systems --

including all of the software that is installed on them -- directly on top of your existing

operating system, in a special environment called a "virtual machine". Your physical

computer is then usually called the "host", while the virtual machine is often called a

"guest.

Programming language: Windows batch script

With batch files, which are also called batch programs or scripts, you can simplify routine

or repetitive tasks. A batch file is an unformatted text file that contains one or more

commands and has a .bat or .cmd file name extension. When you type the file name at the

command prompt, Cmd.exe runs the commands sequentially as they appear in the file.

You can include any command in a batch file. Certain commands, such as for, goto, and if,

enable you to do conditional processing of the commands in the batch file. For example, the

if command carries out a command based on the results of a condition. Other commands

allow you to control input and output and call other batch files.

The standard error codes that most applications return are 0 if no error occurred and 1 (or

higher value) if an error occurred.


24/25

24

Core system utility: attrib.exe

Synopsis of the attrib command is as described:


25/25

25

CONFIGURATION OF THE VIRTUAL MACHINE

General

Name: testbedOS Type: Windows XP

System

Base Memory: 192 MB

Processor(s): 1

Boot Order: Floppy, CD/DVD-ROM, Hard Disk

VT-x/AMD-V: Enabled

Nested Paging: Disabled

Display

Video Memory: 12 MB

3D Acceleration: Disabled

Remote Display Server: Disabled

Hard Disks

IDE Primary Master: XP.vdi (Normal, 10.00 GB)

CD/DVD-ROM

Image: VBoxGuestAdditions.iso

FloppyNot mounted

Audio

Host Driver: Windows DirectSound

Controller: ICH AC97

Network

Adapter 1: PCnet-FAST III (NAT)

Serial Ports

Disabled

USB

Enabled

My last mini project

Documents

Transcript of My last mini project