INTERNATIONAL JOURNAL OF RESEARCH IN TECHNOLOGY (IJRT)
2394-9007
Vol. V, No. II, April 2018
RECONRUS Reconnaissance Virus
Uday Naik SN, Subarna Panda
Abstract— This paper highlights about RECONRUS, which is
a reconnaissance virus which can be embedded with any
document file or other file type. Once the victim opens the file the
virus gets activated by which it will start collecting the vital
information of the system into a text file. The same text file will
be sent back to the attacker when the victim’s system is
connected to the internet there by attacker having all the
valuable information which can help in future attacks.
I. INTRODUCTION
Right from internet ages security was a concern and had been
talk of the town since couple of years. Taking as an
opportunity to showcase the knowledge on Virus, this project
was titled. Reconnaissance is a type of computer attack in
which an intruder engages with the targeted system to gather
information about vulnerabilities. Virus is a piece of code
which is capable of copying itself and typically has a
detrimental effect, such as corrupting the system or destroying
data. It had always been a point of fascination about how a
virus is developed and how it attacks a computer system and
starts replicating itself with one click of a button.
Development of reconnaissance virus to deploy in a
virtualized environment and do statistical analysis on it which
in turn will help to develop an antivirus for possible intrusion
detections. Also, in advanced or future prospect of this project
can be introduction of some root kit to it so that it acts as an
APT.
II. SIGNIFICANCE
A. Role of Reconrus:
Research in the field of information security is growing
nowadays. A proper research on a virus in turn gives us in-
depth view on how a virus works. A reconnaissance virus in
advance stage can be used as an Advanced Persistent Threat
(APT). Even though there is APT in internet world it’s always
difficult to detect and analyze as it is mostly used by defense.
Hence this project will be useful to understand APT in better
way.
Manuscript received on April, 2018.
Uday Naik SN, Research Scholar, Information Security Management System,
Department of Computer Science & Engineering, Jain University, Bangalore,
Karnataka, India.
Prof. Subarna Panda, Asst. Professor, Department of Computer Science &
Engineering, Jain University, Bangalore, Karnataka, India.
Impact Factor: 4.012
Published under
Asian Research & Training Publication
ISO 9001:2015 Certified
ISSN No.
www.ijrtonline.org
B. Background:
There had been many tools in market which can extract
sensitive information about victim’s computer system but
never had been a piece of code which does a set of instruction
which will get all the information needed for an attack and
compromise the system. Hence developing a code with Python
which can collect very important and sensitive data.
III. DESCRIPTION
This project aims to collect some important information out of
a system which gets infected such as Open ports, Public IP,
running processes, Snapshot of current screen, a webcam
capture, System architecture and version and Operating system
which runs on it.
It not only collects the data but compresses it and sends it
to the attacker’s email id and clears the tracks by deleting the
compressed files and other collected data.
As the virus is activated by the victim and mostly running
with administrative privileges it would be able to collect
critical data which a normal user cannot.
A. Port Scanning:
Port scanning is the method of probing the host or system in
order to find the available open ports. This in turn will help
the attacker to script the code with the open port to exploit an
vulnerability.
B. Public Internet Protocol Address:
Public internet protocol address plays an important role in an
attack when the victim is outside the attacker’s network. A
public IP is an address given by the Internet Service Provider
(ISP) to connect with external network.
C. System OS and Architecture:
Operating system information is critical information which
enables the attacker to forge the code and use vulnerabilities
which it has. Each architecture is different (x86 or x64) and
hence information on it is relatively important as OS
information.
D. Webcam Capture:
Webcam is a common gadget which comes inbuilt nowadays
with any laptop. Except for desktop where its an accessory.
With the help of specific module and coding an image capture
of the person who is the owner of the system or one who uses it
at that very moment.
26
INTERNATIONAL JOURNAL OF RESEARCH IN TECHNOLOGY (IJRT) ISSN No. 2394-9007
Vol. V, No. II, April 2018 www.ijrtonline.org
E. Capturing Running Processes:
This is one of the major functions of this virus. As once
gaining access to the system over a reverse TCP connection, to
maintain that access such that the connection will remain it’s
necessary to migrate to a running process. Hence it’s really
critical to know what all process is currently running in the
victim’s system. It also gives a glimpse of any software that’s
running. With this it’s possible to find any vulnerability with
respect to the software and it can be used wisely for further
attacks.
IV. WORKING
Once the virus is coded it’s converted as an executable file by
using MSF venom and encodes it with a word file. This word
file will be either sent by the mail or shared using a removable
device to the victim.
Now once the victim opens the file, the virus program runs
on background. At first it will collect the system platform
details and its architecture which will be written as a text file.
Next step would be completing a port scanning which will
run with multiple threading codes to make the scanning much
faster. Once the list is generated it will be saved as a text file.
Further the virus will move ahead by capturing the
screenshot and Webcam shot by using very innovative and
specific module in python. And save it in temp folder.
Once it captures all the above a process will run to
compress all the collected files and remove the individual files
from temp folder.
Well as the last step the virus will email the compressed
file generated and delete the compressed file from temp folder
there by clearing all the tracks.
V. ANALYSIS
Viruses are mostly used as an attack method where the host is
being compromised and valuable data is stolen, destroyed or
manipulated in order for a monetary gain or for pure fun Hence
this project even though is named as reconnaissance virus it
just collects information without knowledge of the user,
doesn’t destroy any data. Rather than stealing victim’s data, it
concentrates on the Host details.
As per the analysis this virus can be used in the field of
cyber forensics where installing different software and
collecting data this piece of code can be utilised.
VI. FLOW DIAGRAM
Flowchart explanation:
The image in Fig. 1 is the flow diagram of the intended virus.
Above are the steps involved from start to the end as explained
in the working section of this script.

Fig. 1: Flow Diagram

Impact Factor: 4.012 27

Published under
Asian Research & Training Publication
ISO 9001:2015 Certified
INTERNATIONAL JOURNAL OF RESEARCH IN TECHNOLOGY (IJRT)
Vol. V, No. II, April 2018
VII. LIMITATIONS
Even though this project is successful in completing its duties
there are some limitations or scenarios where this can fail. A
few have been listed below.
1) If user doesn’t double click on the infected file.
2) If the user uses it as in restricted mode in Microsoft
word.
3) If user is not connected to internet.
4) If User’s computer uses Linux or MAC.
5) If user is working in Least Privileged Mode.
6) Camera capture is limited to Laptop or Desktop with web
camera only
7) Supports windows operating system XP and above only.
VIII. CONCLUSION
In right kind of computer environment with proper connection
facilities this virus is quite effective in collecting sensitive
Impact Factor: 4.012
Published under
Asian Research & Training Publication
ISO 9001:2015 Certified
ISSN No. 2394-9007
www.ijrtonline.org
information and also when used in computer forensics it’s a
boon as it automates many steps. Also, in advanced mode it
can act like an advanced persistent threat.
REFERENCES
1. https://github.com/
2. https://docs.python.org/2/library/
3. https://pypi.python.org/pypi/
4. https://code.tutsplus.com/tutorials/
5. https://www.geeksforgeeks.org/socket-programming-
python
6. http://www.pythonforbeginners.com/os/pythons-os-module
7. https://stackoverflow.com/
8. https://www.us-cert.gov/publications/virus-basics
9. http://ieeexplore.ieee.org/document/7979312/
10. http://ieeexplore.ieee.org/abstract/document/1407486/
28