CVI PRS Computer Virus Information Propagation Research System

CVI / PRS Computer Virus Information / Propagation Research System Eric Miller and Brian Schill CS 522

Why? There are many viruses that are not researched by the major virus detection companies. l We believe this project and research could eventually lead to more successful proactive virus detection systems. l Exploring the capabilities of VMWare. l

Setup and Tools VMWare – Virtual operating system l CVI / PRS – Custom software for monitoring software l Virus Types l

VMWare l l Windows 98 guest OS running on Windows XP host. Disabled networking Easy restoration Controlled environment

CVI / PRS Java application that monitors virus activity on the guest OS l Run on the guest OS l Watches for changes in the directory l l Dir. Watcher. java l Virus Database

Virus Research Example Virus types l Win 32 l Worms l Scripts l Example – Bee l Undocumented virus l Run CVI / PRS for results

Example – Continued l Enter initial data into CVI / PRS

Example Continued l Run CVI / PRS

Interpretation of Results l Win 32 l l Worms l l l Affected networking files (IPConfig, Traceroute, etc) Deleted executables Scripts l l l Typically deleted executables Damaged system files/registries Corrupted system beyond repair after several reboots Replicated themselves efficiently Search through file systems to attach themselves to other scripting files Our program effectively identified changes to the OS

Future Improvements l l l Differentiate between regular and irregular activity Various launching capabilities Better database scheme l l Interpret results l l l Severity report, future capability prediction Include database for cross-virus predictions and observations Run the program from the host operating system, monitoring the guest operating system l l XML Difficult restart Monitor network ports and registry files

Footnotes l Thank you to individuals previously involved in the project l Ben Abernathy l Zach Thomas l Michael May Initial source code l Viruses l