Your SlideShare is downloading. ×
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Troubleshooting Common Computer Viruses Using Command-Line Interface
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Troubleshooting Common Computer Viruses Using Command-Line Interface

2,387

Published on

This paper discusses an alternative approach to troubleshooting computer viruses using the Command-Line Interface.

This paper discusses an alternative approach to troubleshooting computer viruses using the Command-Line Interface.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,387
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
48
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. TROUBLESHOOTING COMMON COMPUTER VIRUSES USING COMMAND- LINE INTERFACE E.S. Orsarh1 and M.O. AbdulRahman2 1 Department of Industrial and Production Engineering, University of Ibadan, Nigeria es.orsarh@mail.ui.edu.ng 2 Department of Industrial and Production Engineering, University of Ibadan, Nigeria moabdulrahmon@yahoo.co.uk AbstractMany anti-viral mechanisms have evolved since the evolution of computer viruses in the early80s, and several algorithms have since been written, but the number of malwares still grows veryrapidly around the globe. Majority of the existing anti-viral mechanisms hardly detect newviruses which exhibit new properties and behaviours, let alone remove them or restore infecteduser documents to their initial states. This paper introduces an alternative approach totroubleshooting computer viruses and restoring infected user documents to earlier states of un-infection using the Command-Line Interface.A literature survey of early works on computer viruses begins the paper, while abstractdefinitions of the computer virus follow and discussion on the existing anti-viral mechanismsconclude the survey. A step-by-step procedure is then developed to troubleshoot a sample real-world viral case using only command-lines in the process.Results show a 100% success in troubleshooting the sample virus, while infected user documentswere also restored to initial states without the use of anti-virus software.Conclusions and recommendations show the need to consider this alternative method of anti-viralmechanism in troubleshooting common computer viruses in the cyber world.Keywords: Command lines, Command-Line Interface, Computer viruses, and Troubleshooting.Word count: 185
  • 2. 1.0 IntroductionThe first International Business Machine (IBM) personal computer (PC) was introduced inAugust, 1981. Initially, not many people used them, but today one can hardly imagine lifewithout them, both at work and home. Looking around work places when power goes off, peopleare seen hanging around and chatting because they can hardly get work done without theircomputers. People have become very dependent on these machines and the information storedwithin them. However, as a thing becomes important, equally important is its security.Consequent the import of the computer and its information, a significant portion of moderncomputing was dedicated to securing information that are being created and processed, but thecomputer virus has since remained a major threat to data security and information integrity(Fagerland et al., 2003).One may begin to wonder why viruses in the computer world and not bacteria or fungi. One mayeven wonder which virus is it that infects the computer system; the Flu or HIV. Just as human-beings and animals get infected by micro-organisms like the bacteria and fungi, exactly is theway the computer system gets infected by some self-replicating malicious programs termedviruses.The first use of the term „virus‟ to refer to unwanted computer code was by the science fictionauthor David Gerrold when he wrote a series of short stories about a fictional super computer inthe early 70s that were later merged into a novel in 1972 titled: “When Harlie Was One”(Gerrold, 1972). The definition of virus in the novel according to Spafford (1994) is “a programthat alters other programs to include a copy of itself”.In 1983, Fred Cohen incidentally discovered what we know today as the computer virus. At thattime, he was a graduate student at the University of Southern California attending a seminar oncomputer security. A discussion in class inspired him to think about self-reproducing codes. Heassembled few codes and exhibited it in the class. His advisor, Leonard Adleman, thinking aboutthe behaviour of this new creation, suggested that he call his creation a “computer virus”(Spafford, 1994) which he formally defined in Cohen (1985) as “a program that can infect otherprograms by modifying them to include an evolved copy of itself”. The word “virus” itself isLatin for “poison”. See program I below for Cohen‟s first sample virus code.
  • 3. Program virus:= {1234567; subroutine infect-executable:= {loop: file = get-random-executable-file; if first-line-of-file = 1234567 then goto loop; prepend virus to file; } subroutine do-damage:= {whatever damage is to be done} subroutine trigger-pulled:= {return true if some condition holds} main-program:= {infect-executable; if trigger-pulled then do-damage; goto next;} next:} Source: Cohen, 1985 Program I Cohens Sample Virus Program2.0 Computer Virus ProblemThe spread of computer viruses accounts for a significant share of the financial losses that largeorganisations suffer for computer security problems as shown in Power (2003).Computer viruses are continually being created according to research and technology at a rate of3 to 4 new viruses per day according to Goldberg et al., (1996), spreading and infecting millionsof computers at very alarming rates. Unfortunately however, the ability of many computer usersto defend against the threat is quite poor, consequently making the problem more difficult.
  • 4. Annual financial losses due to viral attacks increase worldwide at geometric rates. Statisticalfigures of financial impact of these attacks show the estimates of worldwide economic damagescaused by these malwares on annual basis across the globe. See tables I and II below. Table I Annual Financial Impacts of Major Virus Attacks, 1995-2003 Year Cost ($ billions) Year Cost ($ billions) Year Cost ($ billions) 1995 0.5 1998 6.1 2001 13.2 1996 1.8 1999 12.1 2002 11.1 1997 3.3 2000 17.1 2003 12.5 Source: Cashell et al. (2004)Table II Worldwide Economic Damage Estimates for All Forms of Digital Attacks, 1996-2003 Year Lower limit Upper limit Year Lower limit Upper limit ($ billions) ($ billions) ($ billions) ($ billions) 1996 0.8 1.0 2000 25 30 1997 1.7 2.9 2001 33 40 1998 3.8 4.7 2002 110 130 1999 19 23 2003 185 226 Source: Cashell et al. (2004)3.0 Abstract VirologyCohen (1985) proposed the abstract definition of the computer virus and likened it to the Turingmachine.A Turing machine is a theoretical device that manipulates symbols on a strip of tape according toa table of rules. Despite its simplicity, a Turing machine can be adapted to simulate the logic ofany computer algorithm, and is particularly useful in explaining the functions of a CentralProcessing Unit (CPU) inside a computer.
  • 5. The “Turing” machine was described by Alan Turing in 1936 who called it an „a-(automatic-)machine‟. The Turing machine is not intended as a practical computing technology, but rather asa thought experiment representing a computing machine. Turing machines help computerscientists understand the limits of mechanical computation (Wikipedia, 2011).Filiol et al. (2001) show Cohen‟s definition considering the viral set with respect to the Turingmachine as described below.3.1 Cohen’s Definition       V
  • 6. V4.0 Virus Structure and OperationIn Spafford (1994), true viruses have two major components: one that handles the spread of thevirus, and a payload. The payload task may have a null effect, or it may await a set ofpredetermined circumstances before triggering. For a computer virus to work, it must add itself toother executable codes, and then the viral code is executed before that of its infected host.In the work of Aycock (2006), a computer virus basically consists of three modules: Infect,Trigger and Payload modules. Infect module defines how a virus spreads and modifies the host tocontain a copy of the virus code. Payload defines the damage done by the virus, and Triggerdecides whether to deliver the Payload or not.Trigger and Payload are optional in most viruses though. Program II below shows a samplepseudo-code of a typical computer virus, and figure I displays a basic virus inflection flow chart. def virus(): infect() if trigger() is true then payload() Source: Aycock (2006) Program II Pseudo Code of a Computer Virus
  • 7. Start Find a file to infect Already infected? YES NO Infect file End Source: EC-Council (2007) Figure I Typical Virus Infection Flow ChartLudwig (1996) argues however that every viable computer virus must have at least two basicparts to be considered a virus. It must contain a search routine which locates new files forinfection and a copy routine to copy itself into the area which the search routine locates, and anadditional component; the anti-detection routine which prevents the virus from being detected byantivirus detection mechanisms.The anti-detection routine can either be a part of the search or copy routines, or functionallyseparate from them as in most viruses. See figure II below for a diagrammatic representation ofthe component parts of a computer virus.
  • 8. VIRUS Anti-detection …can either be a part of search routine or copy routines or functionally separate from them. Search Copy Source: Ludwig (1996) Figure II Functional Diagram of a Computer Virus5.0 Anti-Viral Defence MechanismsThere are several methods of defence against computer viruses, unfortunately however, nodefence mechanism is perfect. Cohen (1985) and Adleman (1988) have shown proofs that theproblem of writing a program to exactly detect all viruses is formally undecidable, as it is notpossible to write a program that will detect every virus without any error (Spafford, 1994). Thissection presents some of the most popular techniques used by anti-virus softwares to detectcomputer viruses.5.1 ScannersScanning for viruses is the oldest and most popular method for locating viruses (Ludwig, 1995).A scanner operates by reading data from a disk and applying pattern matching operations againsta list of known virus patterns. If a match is found for a pattern, a virus instance is announced(Spafford, 1994).Scanners are fast and easy to use, but they suffer from many disadvantages. Foremost among thedisadvantages is that the list of patterns must be kept up-to-date. In the MS-DOS world, new
  • 9. viruses are appearing by as many as several dozen each week. Keeping a pattern file up-to-date inthis rapidly changing environment is quite difficult (Ibid).A second disadvantage to scanners is one of false positive reports. As more patterns are added tothe list, it becomes more likely that one of them will match some otherwise legitimate code, and afalse positive is announced. A further disadvantage is that polymorphic viruses cannot bedetected with ordinary scanners (Ibid).5.2 Signature Detection TechniqueA signature is a string of bits found in a virus (Stamp, 2005). An effective signature is the stringof bits which is commonly found in viruses but not likely to be found in normal programs.Generally each virus has its own unique signature. All known signatures are organized in adatabase. A signature-based virus detection tool searches for a known signature in all the files ona system. The following example is a signature of W32/Beast virus in infected executable files.83EB 0274 EB0E 740A 81EB 0301 0000The virus scanner searches all executable files for this signature. If this signature is present in anyexecutable file, it is declared as a Beast virus.However, this technique is not very effective when not much is known about a virus‟ signature orif it‟s a completely new virus attack (Ronak, 2010).6.0 Command-Line InterfaceThe Command-Line Interface is a mechanism for interacting with a computer operatingsystem or software by typing commands to perform specific tasks. This contrasts with the use ofmouse pointer in the Graphical User Interface (GUI) to click on options or menus. This methodof instructing a computer to perform a given task is referred to as entering a command, as thesystem waits for the user to conclude submission of the text command by depressing the “Enter”key. Command-Line Interface is often used by programmers and system administrators, inengineering and scientific environments, and by technically advanced personal computer users.
  • 10. However, to use the Command-Line Interface, a Command-Line Interpreter is necessary.A Command-Line Interpreter is a computer program that reads lines of text entered by a user andinterprets them in the context of a given operating system or programming language. Command-line interpreters allow users to issue commands in a very efficient way (Wikipedia, 2011).As at the time of this writing, Command Prompt and Windows PowerShell are two interpretersavailable on Microsoft operating systems. This paper adopts the use of Command Prompt;accessible through “Start > All Programs > Accessories > Command Prompt” or invokedthrough the “Run utility” by entering “cmd” without quotes after depressing “Start key and R”.Plate I below shows a typical command prompt window. Plate I Typical Command Prompt Window6.1 Command LinesListed below are commands used in the study. I. ATTRIB II. DELIII. DIRIV. RD / RMDIR
  • 11. 6.1.1 ATTRIBThis command displays or changes the attributes of a given file.Syntax: ATTRIB [+ attribute or - attribute][Pathname]Keys: +: Turns an attribute ON -: Turns an attribute OFFPathname: E.g C:Usersal mubaarakVirus.exeAttributes: R: Read-only S: System H: Hidden A: ArchiveIf a file “Virus.exe” for example possesses the attribute: H (hidden), it would be ordinarilyinvisible under the GUI. It can however be brought under vision by removing the hidden attributethus:ATTRIB -H Virus.exeBut if the file has both hidden and system attributes, both attributes can be cleared by a singleATTRIB command:ATTRIB -S -H Virus.exeThe attributes of directories can also be changed or viewed. To use ATTRIB with a directory, thedirectory name must be stated:ATTRIB C:Usersal mubaarak (Views directory attribute)ATTRIB -S -H -R C:Usersal mubaarak (Changes directory attribute)6.1.2 DELThis command deletes one or more files.Syntax: DEL [Option][/A: Attributes] File_to_delete.Option: /A: Select file to delete based on file attributes.
  • 12. Attributes: R: Read-only -R: NOT Read-only S: System -S: NOT System H: Hidden -H: NOT HiddenTo remove a file with both System and Read-only attributes for example, DEL is entered thus:DEL /a:S /a:H Virus.exe6.1.3 DIRThis command displays a list of files and subfolders in a given directory.Syntax: DIR [Pathname][Options]Pathname: Specify the drive, folder, and/or files to display.Option: /A: Show all files6.1.4 RD / RMDIRThis command removes a directory and its contents.Syntax: RMDIR [/S] [/Q] [pathname] RD [/S] [/Q] [path]Keys: /S: Removes all directories and files in the specified directory in addition to the directory itself. It’s used to remove a directory tree. /Q: Quiet mode, do not confirm before removing a directory tree with /S.Pathname: E.g C:Usersal mubaarak
  • 13. 7.0 Procedure for Troubleshooting Computer VirusesThe procedure for troubleshooting computer viruses and restoring infected documents is outlinedbelow.7.1 Step 1Insert the device into computer through appropriate channel. E.g. USB port for USB devices7.2 Step 2Open the Command-Line Interface by invoking the Command prompt. Press “Start key and R” toopen the “Run utility”, and then enter “cmd” without quotes.7.3 Step 3At the CLI prompt, enter the device‟s drive letter with a semi-colon to switch to the drive path.7.4 Step 4Check device contents to view the viruses and infected documents by entering DIR /Acommand.7.5 Step 5Entering ATTRIB, check attributes of the viruses and use DEL to remove them according to theattributes.7.6 Step 6Restore infected documents to their initial states by first checking the attributes and thenmodifying it using ATTRIB command appropriately.8.0 ImplementationHaving developed a six-step procedure for troubleshooting viruses, this section shall show theactual application of these procedure in removing real-world computer viruses and restoring
  • 14. infected user documents to their earlier states using the Command-Line Interface. Table III belowshows a real-world viral case with observed symptoms by the user.Table III Showing collected virus-infected device S/N Item Source Symptoms 1 USB Flash Device Student User documents: “Project” and “Appendix.pdf” suddenly disappeared from device and replaced with unknown: Project.lnk and Appendix.lnk after contact with an infected computer.8.1 Case 1This case features a computer virus that displaces user documents by hiding and replacing themwith viral copies bearing the same names, so the user normally thinks his/her files have beendeleted or moved away from the device.To troubleshoot the case having applied instructions in steps 1 to 3 above, DIR, DEL andATTRIB commands were used according to step 4 above.DIR was used to view the device contents to ensure the actual number of items in the device, DELto remove the viruses and ATTRIB to restore infected files and folders to their initial states of un-infection.DIR was specified with /a key to view all the device contents including hidden files and folders.Missing device items: “Project” and “Appendix.pdf” quickly became visible, and an unknownvirus file: “Ontario.exe” was also sighted in the device; all of which were ordinarily invisible inthe GUI. See plate II below.
  • 15. Proceeding to step 5 to remove “Ontario.exe”, its attributes was first determined by enteringATTRIB as shown in plate III below. “Ontario.exe” however, possessing attributes system, hiddenand read-only can neither be seen under the GUI nor removed with an ordinary DEL command.DEL therefore was specified with the SHR attributes to achieve the virus removal. See plate IVbelow.Step 6 was followed to restore the infected documents to their initial states using ATTRIB toview their respective attributes before actual restoration was performed. Plate V below shows theattribute check while plate VI shows the attribute modification otherwise called restoration. Missing user items Virus file Plate II Showing contents of infected device using DIR/A command Showing attributes of Ontario.exe Plate III Showing attributes of “Ontario.exe” with ATTRIB command
  • 16. DEL command specified with SHR attributes Plate IV Showing removal of “Ontario.exe” using DEL command Showing attributes of infected user documents with ATTRIB command Plate V Showing attributes of user documents using ATTRIB command Modifying attributes of infected user documents to achieve restoration to initial statePlate VI Showing modification of document attributes using ATTRIB command
  • 17. 9.0 ConclusionThe Command-Line Interface, having successfully troubleshooted real-world computer virusthrough the above procedure, would be useful in minimising data threat and informationinsecurity. This technique however, if adopted should put a gradual stop to the menace ofcomputer viruses, and consequently help maximise global financial profits and minimise suddensystem breakdowns.10.0 RecommendationsThis paper however recommends that: i. This novel technique be introduced to computer users across the globe to help put a gradual stop to sudden data losses and information insecurity. ii. More attention should be drawn to the use of the CLI; as other benefits are likely to be unleashed therefrom. ReferencesAdleman L.M., 1988. An Abstract Theory of Computer Viruses. In: Goldwasser S., 1988.Advances in Cryptology - CRYPTO‟88, Vol. 403, pp. 354-374. Springer-Verlag, London,England.Aycock J., 2006. Computer Viruses and Malware. Advances in Information Security, Vol. 22,Springer-Verlag, ISBN 978-0-387-30236-2.Cashell, B. William, D.J. Mark, J. and Baird, W., 2004. The Economic Impact of Cyber-Attacks.CRS Report for Congress, Order Code RL32331.Cohen, F., 1985. Computer Viruses. PhD thesis, University of Southern California.Fagerland, S. Moon, S. Walls, K. Bretteville, C. and Ness, Y., 2003. Norman Book on ComputerViruses. Norman ASA.Filiol, E. Marko, H. and Stefano, Z., 2001. Open Problems in Computer Virology. EcoleSup´erieure et d‟application des Transmissions Laboratoire de virologie et de cryptologie B.P.
  • 18. 18, 35998 Rennes, France. Accessed 5th May 2011 through:<http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.138.5291&rep=rep1&type=pdf>Gerrold D., 1972. When Harlie Was One. In: Spafford E.H., 1994. Computer Viruses as ArtificialLife. Journal of Artificial Life, Vol. 1, No.3, pp. 249-265. MIT Press, Cambridge, MA, USA.Goldberg L.A., Goldberg P.W., Philips C.A. and Sorkin G.B., 1996. Constructing ComputerVirus Phylogenies. Retrieved 7th May 2011 through:<http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.51.9419&rep=rep1&type=pdf>International Council of Electronic Commerce Consultants (EC-COUNCIL), 2007. Writing VirusCodes. Microsoft PowerPoint slides in Certified Ethical Hacker, version 5, module 25.Ludwig, M.A., 1996. The Little Black Book of Computer Viruses. American Eagle Publications,Inc. Post Office Box 1507, Show Low, Arizona 85901, Volume 1.Microsoft Windows Command Prompt. Windows Command Lines [Version 6.1.7600] Copyright© 2009 Microsoft Corporation.Power, R., 2003. CSI / FBI Computer Crime and Security Survey. Computer Security Issuesand Trends. Volume VIII. Computer Security Institute.Ronak S. (2010). Metamorphic Viruses with Built-in Buffer Overflow. M.Sc Dissertation, SanJose State University. Accessible through:<www.cs.sjsu.edu/faculty/stamp/students/shah_ronak.pdf> [Accessed 6th April 2011]Spafford E.H., 1994. Computer Viruses as Artificial Life. Journal of Artificial Life, Vol. 1, No.3,pp. 249-265. MIT Press, Cambridge, MA, USA.Stamp M. (2005). Information Security: Principles and Practice. Wiley-Interscience, John Wileyand Sons, Inc., Hoboken, New Jersey, USA. 1st edition, ISBN 0471738484.Wikipedia, the free encyclopedia. Turing Machine. Accessed 20 May 2011 through:<http://en.wikipedia.org/wiki/Turing_machine>

×