My last mini project
-
Upload
navdeep-gaur -
Category
Documents
-
view
218 -
download
0
Transcript of My last mini project
-
7/29/2019 My last mini project
1/25
win32: kukacha / win32:
sality healer
Training Report
Submitted to: Submitted by:
Dept. of Computer Sciences, Navdeep Gaur
PMCE CSE V
-
7/29/2019 My last mini project
2/25
2
win32: kukacha / win32:
sality healerA tool to recover files from removable storage
devices infected by strains of notorious win32:
sality and win32: kukacha like worms.
Navdeep Gaur
A brief report of the software tool developed during the six week practical training
received during the summer of 2012; for the partial completion of the degree course.
-
7/29/2019 My last mini project
3/25
3
A C K N O W L E D G E M E N T
I take this opportunity to thank all those whose immense support in both technical and
moral terms made it a fulfilling experience.
Head of Department, Department of Computer science, PM College ofengineering, for the use of lab-time to experiment with the viruss behavior.
My fellow students for letting me tinker around with their pen drives StorageTech, the company, for allowing me to pursue a project of my own
undertaking.
I also thank them for allowing me to go and attend the CEP workshop organized
by DoMS IIT-D, midway between my training, letting me continue my project
without the necessity of physical attendance
I also thank the management for this wonderful learning opportunity.
Navdeep Gaur
-
7/29/2019 My last mini project
4/25
4
C O M P A NY P R O F I L E
StorageTech has pioneered the growth of IT and IMS training in India. Keeping focus,
growth and competition in perspective, StorageTech has been able to set standards across
its offices by adopting practices based on quality, commitment, and the zeal to make
success a habit. Since its inception in the year 2006, StorageTech has gradually worked
towards becoming one of the top most players in the market today. With its rich experience
in the IT training services sector, it has been able to set high global practices that drives it
to building relationships with all those associated with it.
SERVICES OFFERED
StorageTech offers a broad range of project expertise, specializing in planning, designing,
engineering, constructing, monitoring and maintaining Data Centers, Networks, Data
Security, Data backup, Disaster Recovery and Storage Designs that integrate critical
infrastructure technologies.
StorageTech offers a range of services and specialize in the design and implementation of
storage solutions that integrate with existing infrastructures to meet existing and future
storage requirements. Our customers can choose from a wide range of solutions provides
by us, which make it easy to manage the growth of their requirements.
Corporate Training
-
7/29/2019 My last mini project
5/25
5
Software Training Consultancy
SOLUTIONS OFFERED
Disaster Recovery Storage Designing Backup Solutions Network Designing Datacenter solutions
CORE TECHNOLOGIES
Solaris Unix Backup SAN
-
7/29/2019 My last mini project
6/25
6
MOTIVATION FOR DEVELOPING THE TOOL
There had been a recurring problem of disappearing files from the flash drives of users of
the computer labs at PM group of institutions.
Apparently, this problem was caused by a viral infection; the malware* would hide all the
files on the removable media that was plugged into the infected machine*. Also, all the
directories were hidden and replaced by symbolic links to executables of the malware,
stored in system reserved folders of the disk drive.
As it was later discovered, the malware was a viral strain of the widespread notorious
win32: sality and win32: kukacha virus/worm bundle.
SOLUTION FOR THE VIRUS
The lab administrators after weeks of tinkering and experiment applied the virus fixes
provided by the antivirus vendors NOD32, Quickheal, AVG and the like.
-
7/29/2019 My last mini project
7/25
7
REMAINING PROBLEM
The malware was thus removed, but the missing data posed a problem. Despite the fact
that the virus was now gone, even from the infected flash drives, the data and user files
were still not visible.
Disk usage information and unrestricted directory listings showed that the data was still
there but it was no longer visible.
-
7/29/2019 My last mini project
8/25
8
Fig: 1
Above is a snapshot of the virtual machine on which the experimentation of the virus fix was
performed. Observe the hidden files in the folder, other- wise visible in listings.
-
7/29/2019 My last mini project
9/25
9
The root of the problem was found to be the method that the virus strain used to propagate
itself on to other machines.
It would create infected links of the folders on the removable drives, hiding the original
ones, thereby convincing the unsuspecting user into clicking on to them.
The shortcuts were rigged with executables of the virus itself, which were in turn either
stored in RECYCLER or System Volume Information directories of the removable
storage devices.
The removal of these links could be performed by deleting them on an uninfected machine
and purging the appropriate directories, but the hidden files could not be brought back
even after making the file viewer show hidden files/ folders. It was because the virus not
only set active the hidden attribute of the contents of the infected drives, but it also set
the system attribute of those contents; thus, making the files unalterable by any existing
file attribute GUI utility supplied by the Windows XP framework.
-
7/29/2019 My last mini project
10/25
10
THE SOLUTION
The system and hidden attributes of the files could, however, be unset using the MS-
DOS attrib utility.
This utility is still shipped with most windows distributions. Windows XP also comes
installed with attrib command.
The syntax used for the command is as depicted in the following illustration.
Fig 2: the contents are made visible all over again.
-
7/29/2019 My last mini project
11/25
11
I NF O R M A T I O N ST O R A G E A ND B U SI NE SS
C O NT I NU I T Y
WH AT L I ES AT TH E H EART OF STORAG E MANAG EMENT AND WH AT MAKES I T SO CRUCI AL ?ESP ECI AL L Y TO COL L EG E STUDENTS AND L ECTURARS WH O USE COMP UTERS I N A SH ARED L AB .
-
7/29/2019 My last mini project
12/25
12
INFORMATION STORAGE
Businesses use data to derive information that is critical to their day-to-day operations.
Storage is a repository that enables users to store and retrieve this digital data. So, do
University college goers.
STORAGE PRIMITIVES IN OUR SCENARIO
DATA:The files stored on the storage devices of our end users.
Devices:The external storage devices, including but not limited to: Pen-drives, memory-
cards, and External hard drives.
Downtime:The unavailability of access to saved files on these drives, and media.
Cause of downtime:Side effects of a virus infection
-
7/29/2019 My last mini project
13/25
13
BUSINESS CONTINUITY
Business continuity entails preparing for, responding to, and recovering from a system
outage that adversely affects business operations. It involves proactive measures, such as
business impact analysis and risk assessments, data protection, and security, and reactive
countermeasures, such as disaster recovery and restart, to be invoked in the event of a
failure. The goal of a business continuity solution is to ensure the information availability
required to conduct vital business operations.
In technical terms,
Business continuity (BC) is an integrated and enterprisewide process that
includes all activities (internal and external to IT) that a business must perform
to mitigate the impact of planned and unplanned downtime
-- Ganesh Rajaratnam, Information Storage and Management
BUISINESS CONTINUITY IN OUR SCENARIO
Business continuity in our scenario would be: users of the system would get their files
back so that they could continue with their unfinished movie downloads, or other valuable
piece of work that was earlier disrupted.
-
7/29/2019 My last mini project
14/25
14
HOW THIS SOLUTION WORKS?
Our program essentially uses the attrib utility to reset the hidden and system attributes
of the affected files.
In practice, it is not possible to alter a files attributes if the system attribute is somehow
set, thus, the system attribute must first be unset before setting or resetting any other
attributes.
On the other hand, the attrib utility cannot change the system attribute of a file whose
hidden attribute is already set.
Thus it is seemingly impossible if these attributes are unset one at a time if both are set to
begin with.
This program overcomes this glitch by exploiting another capability of the attrib program.
It is possible to specify more than one attribute operation in the single execution of attrib,
so if we are to unset both the system and hidden attribute in a single parsing, the
transition actually takes place.
It is, in fact, a built in capability of the mode-management in Microsofts systems, which
keeps users away from other system files (e.g.: IO.SYS. autoexec.bat, MSDOS.SYS, etc)
-
7/29/2019 My last mini project
15/25
15
WIN32:SALITY / WIN32:KUKACHA HEALER: BETA VERSION
FILES:
healkukacha.batHolds the actual code and error handing methods.
SpecifyDriveHere.batThe user interface for the current system
Readme.txtThe initial instructions for the user
FEATURES
The tool accepts the drive letter and without any heed to the contents, unsets their
hidden and system attributes.
-
7/29/2019 My last mini project
16/25
16
SUGGESTED IMPROVEMENTS
A review of the tool by some end users brought the following avenues for improvement:
User interface: the users would like to use a more laid back interface, with GUIcapability.
Robustness: the program still contains bugs because its still in development phase.
-
7/29/2019 My last mini project
17/25
17
A P P E NDI X
-
7/29/2019 My last mini project
18/25
18
PROGRAM LISTINGS
-
7/29/2019 My last mini project
19/25
19
-
7/29/2019 My last mini project
20/25
20
-
7/29/2019 My last mini project
21/25
21
VIRUS PROFILE
Virus: Win32/Sality.AM
Encyclopedia entry
Updated: Apr 17, 2011 | Published: Jul 08, 2008
Aliases
Win32/Kashu.B(AhnLab)
Win32.Sality.NX(BitDefender)
Win32/Sality.W(CA)
Win32.Sector.5(Dr.Web)
Win32/Sality.NAO(ESET)
W32/Sality.AJ(Frisk (F-Prot))
Virus.Win32.Sality.y(Kaspersky)
W32/Sality.AE(McAfee)
W32/Sality.AO(McAfee)
W32/Smalltroj.DXSV(Norman)
W32/Sality-AM
(Sophos)
W32.Sality.AE(Symantec)
Win32.Sality.AK(VirusBuster)
-
7/29/2019 My last mini project
22/25
22
AlertLevel: Severe
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.133.411.0
Released: Aug 26, 2012
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008
http://www.microsoft.com/security/portal/Definitions/ADL.aspx -
7/29/2019 My last mini project
23/25
23
TOOLS USED
Virtualization software: Sun Virtualbox
Sun VirtualBox is a collection of powerful virtual machine tools, targeting desktop
computers, enterprise servers and embedded systems. With VirtualBox, you can virtualize
32-bit and 64-bit operating systems on machines with Intel and AMD processors, either by
using hardware virtualization features provided by these processors or even entirely in
software, at your option. With VirtualBox, you can run unmodified operating systems --
including all of the software that is installed on them -- directly on top of your existing
operating system, in a special environment called a "virtual machine". Your physical
computer is then usually called the "host", while the virtual machine is often called a
"guest.
Programming language: Windows batch script
With batch files, which are also called batch programs or scripts, you can simplify routine
or repetitive tasks. A batch file is an unformatted text file that contains one or more
commands and has a .bat or .cmd file name extension. When you type the file name at the
command prompt, Cmd.exe runs the commands sequentially as they appear in the file.
You can include any command in a batch file. Certain commands, such as for, goto, and if,
enable you to do conditional processing of the commands in the batch file. For example, the
if command carries out a command based on the results of a condition. Other commands
allow you to control input and output and call other batch files.
The standard error codes that most applications return are 0 if no error occurred and 1 (or
higher value) if an error occurred.
-
7/29/2019 My last mini project
24/25
24
Core system utility: attrib.exe
Synopsis of the attrib command is as described:
-
7/29/2019 My last mini project
25/25
25
CONFIGURATION OF THE VIRTUAL MACHINE
General
Name: testbedOS Type: Windows XP
System
Base Memory: 192 MB
Processor(s): 1
Boot Order: Floppy, CD/DVD-ROM, Hard Disk
VT-x/AMD-V: Enabled
Nested Paging: Disabled
Display
Video Memory: 12 MB
3D Acceleration: Disabled
Remote Display Server: Disabled
Hard Disks
IDE Primary Master: XP.vdi (Normal, 10.00 GB)
CD/DVD-ROM
Image: VBoxGuestAdditions.iso
FloppyNot mounted
Audio
Host Driver: Windows DirectSound
Controller: ICH AC97
Network
Adapter 1: PCnet-FAST III (NAT)
Serial Ports
Disabled
USB
Enabled