Self Destructing Scripts

I came across an interesting piece of malware today that completely confused me, The behavior of the script was similar to your standard malware, it dropped executables all over the hard drive in an effort to make itself persistent, but the dropper itself had a cleanup function that deleted itself and overwrote itself so it couldn’t be forensically recovered.

I re-ran it in a virtual environment while watching its actions and it was definitely a hard coded behavior, and worked on both Windows and Linux! Even a dynamic analysis of the malware deleted itself during analysis so I knew that the call had to be the very last thing the file did. Unfortunately, the attacker that wrote the code did too well with that particular section so I wasn’t able to figure out how it was implemented, but I came up with some theories using Python.

On Windows:

The Python code for deleting a file or directory are given in this StackOverflow answer.

import os

# collect full path of script
filePath = os.path.abspath(__file__)

# Do things

# End of script, file is deleted/overwritten
os.remove(filePath)
folderPath = os.path.dirname(filePath)
os.system('cipher /W:%s' & folderPath)

Basically you get the file path using __file__ and you can delete it using a number of techniques. os.remove() will remove the file. os.rmdir() will remove an empty directory. shutil.rmtree() will delete a directory and its contents.

The windows command cipher will overwrite the deleted data in a volume/directory. The only potential downside here is that the cipher command tends to take a long time to overwrite the data for large directories.

On Linux:

This whole process is trivial on Linux, even if the script only has user access.

#!/usr/bin/env python

import subprocess as sp
from os import path

# This gives us the absolute(full) path to this python script
self_path = path.abspath(__file__)

# Do stuff -- I just created a folder
sp.call(["mkdir", "/home/User/Desktop/thinair"])

# At the end of the script, the file shreds itself
sp.call(["/usr/bin/shred", "-fuz" , self_path])

Again, you get the file path using __file__ and you can delete it using shred. The options for shred are -fuz where -f forces a permission change, -u removes the file after writing, and -z backfills the empty memory space with zeroes.

 

 

While I’m sure the script I came across today used far more advanced methods to hide its tracks, the options I showed above seem like easy ways to cover your tracks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s