Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
10 Paper 31121154 IJCSIS Camera Ready Paper Pp. 58-61

10 Paper 31121154 IJCSIS Camera Ready Paper Pp. 58-61

Ratings: (0)|Views: 28 |Likes:
Published by ijcsis

More info:

Published by: ijcsis on Feb 19, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 2012
Developing an Auto-Detecting USBFlash Drives Protector using Windows MessageTracking Technique
Rawaa Putros Polos QashaDepartment of Computers SciencesCollege of Computer Sciences and MathematicsUniversity of MosulMosul, Iraqrawa_qasha@yahoo.com Zaid Abdulelah MundherDepartment of Computers SciencesCollege of Computer Sciences and MathematicsUniversity of MosulMosul, Iraqzaidabdulelah@gmail.com 
– this paper presents Windows Message DeviceChange Tracking (WMDCT) program to protectWindows systems from Universal Serial Bus (USB)viruses which use the AutoRun property to execute.The WMDCT program introduces a new methodto develop the traditional ways of protecting techniques,which are used by other anti-viruses programs. The maintwo parts of WMDCT program are monitoring andtracking Windows Message Device Change, which is amessage that is sent by the system, in the background,and removing or repairing the infected files in the USBflash drive. WMDCT has been tested in the University of Mosul/ Computer Science Dept. labs and the results havebeen mentioned in this paper.
 Keywords-USB; AutoRun; system protection;Windows Messages
INTRODUCTIONUniversal Serial Bus (USB) storage devices are oneof the most common means of viruses to attack computers. Nowadays, there are many viruses exploitthe lack of security mechanism for Windows Autoplayfeatures to attack Windows systems. According toMcAfee Avert Labs [1], the top rank of Malware isAutoRun Malware. In addition, according to Ghosh[2], half of the top 10 viruses of 2009 exploited theWindows AutoRun feature. The WMDCT introduces anew, fast, and efficient approach to protect Windowssystems from viruses’ infection which are used USBflash drive with AutoRun property to separate. TheWMDCT approach depends on tracking theWM_DEVICECHANGE message, which is sent by theWindows system to all applications when a USBdevice connects to the system. When WMDCTprogram receive this message, it checks if the flashdrive contain an AutoRun.inf file to be removed, w
hichmakes the viruses files completely paralyzed.WMDCT program also restores the default propertiesof the other files that have been infected by the virus.This method has been provided the following features:
Removing the AutoRun.inf file automatically ina non interactive way makes the WMDCTprogram very useful with computers which areused by different users such as in computers labsat universities.
Removing a specific file (AutoRun.inf) makesthe update process not necessary.
Removing only the AutoRun.inf file, which isput on the root of the flash drive, makes theWMDCT program very fast.II.
WORKSSome related work such as Wolle, J., suggestedstopping AutoRun property from the Control Panel[3]. Clearly, this is not a real solution because if theuser pressed double-click to open the USB flash drive,the system will be infected since the AutoRun.inf filestill on the USB flash drive. To the best of theresearcher's knowledge, this solution to protectcomputers from AutoRun malware attacks has neverbeen used or posed before. According to Aycock, J.,the first task of anti-virus programs is detecting if other programs are a virus or not [4]. There are manyalgorithms which are used for this purpose such asAho-Corasick, Veldman, and Wu-Manber. Thesealgorithms depend on set of signatures to detectviruses. Traditionally, anti-virus programs usesignatures to identify viruses. The two majordisadvantage of this method are that it needs newsignatures to detect new viruses, and it is slow downthe system since it uses complex algorithms. All therelated works try to enhance those methods to reduceamount scans and resource requirements. The Pham,D., Halgamuge, M., Syed, A., Mendis, P. introduced anew method also using AutoRun file to protect onlyUSB flash drives not the computers [5]. The aim of this work is to introduce a simple but efficient methodto protect Windows systems from AutoRunviruses/malwares.
58http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 2012
According to Szor, P., AutoPlay is the featurebuilt into Windows that automatically runs aprogram specified by the file AutoRun.inf whenever a CD-ROM, DVD or USB drive isplugged into a Windows-based computer [6].Moreover, Tahir, R., Hamid, Z., Tahir, H.,noted that “Flash drive infections usuallyinvolve malware that loads an AutoRun.inf file into the root folder of all drives (internal,external, and removable) which automaticallyruns a malicious .exe file on the computer [7].When an infected USB flash drive is inserted,the Trojan infects the system.” The Autorunsection supports an open command that canbe used to run executable files. This is thecommand that malicious codes exploit to beinvoked automatically. A simple Autorun.inf file is:
According to Microsoft Developer Network [7]and Axelson, J. [8], Windows sends all top-levelwindows a set of default WM_DEVICECHANGE messages whennew devices or media (such as a CD or FlashDrive) are added and become available. When theuser inserts a new CD, DVD, or Flash drive,applications receivea WM_DEVICECHANGE message witha DBT_DEVICEARRIVAL event.DBT_DEVICEARRIVAL is sent after a device orpiece of media has been inserted. Applicationsreceive this message when the device is ready foruse as kind of notification. Each notificationcontains a device path name that the applicationcan use to identify the device that the notificationapplies to.IV.
METHODOLOGYThe main advantage of this work is that theremoved operation will be applied in the backgroundwithout user interaction. When a USB flash driveconnects to the computer, WMDCT will discover itautomatically and remove the malicious files from it.As mention previously, when a USB device connectsto a computer, the Windows system sends theWM_DEVICECHANGE message to applications.WMDCT starts with listening to this message. As soonas WMDCT receives WM_DEVICECHANGEmessage, the scan operation on the connected device isperformed. If WMDCT detect any AutoRun.inf file inthe connected USB flash drive, WMDCT will changethe permission of it to normal and removed it. Also,depending on settings that the user are selected fromthe WMDCT interface, all the EXE files or the EXEfiles with hidden attribute will be removed. Anotherfeature which WMDCT introduced is that using multi-threading technique to improve the performance of theWMDCT. Sometimes more than one USB flash driveconnects to the computer at the same time whichcauses an overlap. This problem has been solved byusing multi-threading technique by create a separatedthread for each new USB flash drive which connectsto the computer. The following flowchartdemonstrates the algorithm which is implemented byWMDCT program to protect Windows systems fromviruses that execute using AutoRun property.Figure 1: WMDCT algorithmV.
DISCUSSIONC# language with .NET 4.0 platform was used todevelop WMDCT program. WMDCT program wastested in the University of Mosul/ Computer Science
59http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 1, January 2012
Dept. Labs and many other personal computers. Theresults have shown the efficiency of WMDCT. Themost important features which are provided byWMDCT are speed and independence. WMCDT wastested on computers which are used by many differentusers (students), and each student has different USBflash drive. WMDCT was very efficient andthe percentage of success to delete AutoRun.inf fileswas 100%. Figure (1) shows WMDCT interface whichgives the administrator/user the ability to set up theprogram options.Figure2: WMDCT main interfaceTable (1) explains these options
Table (1): WMDCT options
 Option Function
Removeautorun.inf fileRemove the AutoRun.inf fileautomatically.Remove all EXEfiles in root onRemovable disk Removes all execution filesin the root directory of thedetected USB flash drive.
Remove only XEfile with hiddenattributeRemoves only hiddenexecution files in the rootdirectory of the detectedUSB flash drive.
Show hidden filesand directories onRemovable disk Show all the hidden files anddirectories which are mostlyexpected to be infected byviruses.
Run programwith startupRun WMDCT automaticallywhen Windows startup.VI.
COMPARISONThe system was evaluated by monitoring the timeand the CPU usage. Figure (3) and Figure (4) show theresults of this evaluation:Figure 3: Time measurementFigure 4: CPU usage measurementIn addition, Table (2) shows a comparison betweentraditional anti-virus programs and WMDCT program.Table 2: the comparison between anti-virusprograms and WMDCT program
Other anti-virusprogramsWMDCTSystemPerformance
Adversely affectin differentproportionsNo significanteffect
Scanning need along timeVery fast
Require an up-to-date databaseof virussignaturesNo update isrequired
Only Knownviruses aredetectedKnown andunknownviruses are
60http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->