Upload
stephen-whisman
View
157
Download
3
Embed Size (px)
Citation preview
Running Head: Batch File Virus Project Final Paper
Final Project Paper
By: Stephen L. Whisman
Student ID # 1698547
Embry-Riddle Aeronautical University
Spring 2015
4/27/2015
Batch File Virus Project Final Paper 1
Batch File Virus Project Final Paper
The final project that I chose was to create a virus that is hosted on a
flash drive and is auto run when plugged into computer. The program has
the ability to execute almost completely invisibly and will navigate to and
steal files from a specific known directory(s) that are pre-programed into it.
After all of the files in a targeted directory are copied to a location on the
USB they are all deleted from the directory they were taken from. Once all of
the files are deleted the program will copy a large picture file onto the victim
computer and then replicate that file until the directory is completely full.
Unfortunately when I first started working on this program I realized
that Windows had disabled the auto run function for removable media, in
order to stop malicious software such as this from being executed
automatically, and I was unable to find a workaround to this problem for
quite a few weeks. However, I had previously heard of a method of creating a
small partition on a flash drive that is interpreted by the computer as a CDFS
partition. The idea came from the U3 smart drives that were being created
back in the mid-late 2000s which would auto launch, from a CDFS partition
on the flash drive, applications upon insertion of the USB drive. This is
important for my project because Windows 7 and later versions still have the
ability to auto run from a CD that contains software if the targeted computer
has enabled the auto run software from CD feature.
Batch File Virus Project Final Paper 2
Further research revealed that SanDisk discontinued their line of U3
smart drives due to a deal made with Microsoft, most likely for security
reasons, and the idea of CDFS partitioned flash drives started to fade from
commercial retail. However, programmers from around the world continued
to develop open source software capable of re-formatting flash drives to
have a CDFS partition along with a normal NTFS partition. The issue with
these re-formatting programs is that they are chip-set dependent, meaning
that certain programs only are capable of formatting certain USB drives
depending on the chip-set used inside it.
This presented another problem which was that not all flash drives
have the capability of being formatted in such a way and trying to do so
without the proper software tools or USB drives would result in permanent
damage to the removable media. I was however able to discover a database
of disk partitioning utilities on a website called USBDev.ru which hosts a vast
variety of disk utilities as shown in Figure 1. In order to reformat a USB drive
properly I needed to search the entire database for the tool that worked
specifically for one of my flash drive’s chipsets. This required many failed
attempts and it turned out that I just so happened to have one flash drive
Batch File Virus Project Final Paper 3
that was format table with a CDFS partition. Figure 1:
USBDev.ru
The flash drive that I was able to use for my project is a SanDisk Ultra
USB 3.0 16GB. In order to find the chip-set that was included with the USB
drive I used three tools from USBDev.ru called CheckUDisk, ChipEasy, and
FlashGenius. These utilities showed me that my USB drive has a Phison
PS2251-03 chipset controller. The software that I required to format my USB
drive properly is a formatting tool called Phison ModeConverter which is
capable of creating one NTFS partition and also creating a CDFS partition
with a premade .ISO file “burned” into it. The .ISO file stores all of my script
files that are to be loaded into the CDFS partition and is created by a free ISO
creator software called Free ISO Creator. Figure 2 shows this program taking
the directory that has all of my .bat, .vbs, and .inf files that makeup the virus
and compressing it into an .ISO file.
Batch File Virus Project Final Paper 4
Figure 2: Free ISO Creator
Once the ISO file has been created the flash drive is then inserted into
a free USB port and Phison ModeConverter is then launched. ModeConverter
automatically finds the proper drive letter associated with any Phison chipset
controller so the user does not accidently try and format a drive that is not
compatable. Next the proper settings are chosen, the NTFS partition is
named, and the ISO file that was created earlier is chosen to be “burned”
into the CDFS partition. The naming of the NTFS partition is important
because the .bat file uses this name to identify which drive to copy data to.
Batch File Virus Project Final Paper 5
Then the convert button is clicked and the directions are followed until the
removable media has been fully formatted. Figure 3 shows ModeConverter
with the correct settings and drive name before and after convert is clicked.
Figure 3: ModeConverter with Correct Settings and Drive Name, Before and After
Conversion
Once the flash drive has been formatted it will immediately be ready to
use once it is plugged back into the computer. In order to perform tests on
the program I needed to set up a few virtual machines, to prevent damage to
my home computer, which required me to install Oracle Virtual Box. Virtual
Box allows a virtual machine to be created that can be used to test software.
With this program I created and copied virtual hard drives installed with
Windows 7 Home Premium 64-Bit onto a removable hard drive. Once one of
these virtual machines is running the proper auto run setting for software on
CDs is selected. Now the USB drive can be inserted into the virtual machine
to test how it executes. Figure 4 shows the virtual machines auto-run
Batch File Virus Project Final Paper 6
settings with the correct values selected, the image on the left, while the
image on the right shows what the user using the computer should see when
the script is running correctly.
Figure 4: Auto-Run Settings with Correct Values (Left) and Correct Program Execution (Right)
Batch File Virus Project Final Paper 7
You may have noticed that in the above right figure there is no
command line running and it looks like nothing is happening when in reality
the program is just running invisibly in the background. This is because my
CDFS partition of the USB contains a file called launch.bat that has a call to
start running wscript.exe with the invisible.vbs script file and virus.bat. The
invisible.vbs file contains a short script that enables virus.bat to be run
invisibly with the exception of a blank command line popping up for less than
a second when the program starts executing. Figure 5 shows the contents of
invisible.vbs displayed in notepad.
Figure 5: Contents of Invisible.vbs
Before going any further I would like to explain why I chose to use a
batch file to be my virus and what a batch file is. The choice to use a batch
file was due to the fact that they can perform a variety of tasks and are more
difficult to detect than many other programing languages. They are
commonly used to automatically update things when a certain event occurs
and to format data storage mediums. They can also be used to steal
Batch File Virus Project Final Paper 8
information, irritate victims by wasting CPU resources, delete windows files,
and disable both the AntiVirus and Firewall (“Microsoft Corporation”, 2015).
Batch files, also called a batch program or script, were designed to
simplify routines or repetitive tasks back in MS-DOS. They still exist today as
a relatively unused and unknown feature in windows operating systems.
They are written in an unformatted text file that includes one or more
commands for the command line and is saved with a .bat or .cmd extension.
Any commands that work in the windows command line are allowed along
with commands like for loops, goto statements, and if statements that are
used to tell the program what to do when executing (“Batch File”, 2015).
When one of these script files are executed the commands within are
executed line by line until the end of the file is reached, which results in the
termination of the script. The only exception to the sequential execution of
the commands is when the program is in a for loop or hits a goto statement.
My virus's launch.bat file, that initiates the execution of virus.bat, is
called by the autorun.inf file which the computer automatically launches
once the removable media is plugged in. The batch file called virus.bat is the
main script file that contains the code that identifies if the drives that have
been pre-programmed exist or not and the code that copies, erases, and fills
the working directory with spam. Figure 6 below shows all of the files that
are formatted into the CDFS partition on the left and the contents of
virus.bat on the right.
Batch File Virus Project Final Paper 9
Figure 6: All Files Apart of CDFS partition (Left) and Contents of virus.bat (Right)
The program that I have written above is extremely modifiable and can
easily be changed to implement other potentially harmful actions. For
example, code could be added that searches for every available media
storage drive letter in order to copy all the data that is connected to a
computer. Other code could be used that saves a separate .bat file, that
copies junk files into a hidden directory, into the windows file system and
cause it to auto run on computer startup. This would be a useful function
Batch File Virus Project Final Paper 10
because it effectively uses up all of the system memory and the victim would
have a hard time finding out why.
I desired to implement a way to disable the Antivirus, firewall, and
networking capabilities but was unable to find a way. I was able to create a
batch file that did all of these things but it was not capable of being run
invisibly. Since I want it to run invisibly this was unacceptable so I decided
not to implement it into my final submission. I also wanted to implement a
way to auto run on system startup but I honestly ran out of time and was
unable to add it to the final submission. Figure 7 shows the code needed to
disable the system security, firewall, and network adapter.
Figure 7: Network Capability and Security Disable
Overall, batch files can be both an incredibly useful and yet dangerous
tool. This being said they are also very difficult to wright and fully understand
if the programmer does not understand the proper syntax that goes along
with the MS-DOS command line interface. One space in the wrong location
will cause the batch file to operate improperly resulting in a faulty execution.
Batch File Virus Project Final Paper 11
The final submission does function correctly and has been used to copy
more than 2GB of data at a time from multiple disk drives that were
connected to a computer, even ones that are shared over a network. It also
deletes the users profile directory and fills it with junk files which can result
in loss of valuable information because that space is now holding new data
instead of just being unindexed from memory. Figure 8 shows the user
directory after the virus has finished executing. Notice that the computer is
giving an error message that it is low on disk space because of the junk file
replication.
Figure 8: User Directory After
Batch File Virus Project Final Paper 12
In conclusion, I am disappointed that I was unable to implement more
advanced features into this project because of time constraints. This project
is probably something that I will continue to slowly modify in my free time. I
was continually challenged and confused by the batch script syntax and also
had a difficult time navigating through USBDev.ru even after the page had
been translated from Russian to English. There are so many different tools
and versions of tools that even the ones that are listed for your chipset
controller may not even work. Just discovering which chipset controller my
drives had was a lengthy task because a lot of the tools are also extremely
buggy. I found this project quite challenging and feel that I have a much
greater knowledge of how malicious programs are able to cause so much
frustration on a victim and damage to a computer.
Batch File Virus Project Final Paper 13
Bibliography
Batch File Help. (2015). Retrieved April 27, 2015, from http://www.computerhope.com/batch.htm
Microsoft Corporation. (2015). Retrieved April 27, 2015, from http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/batch.mspx?mfr=true