About Sarah
Self deleting malware
Mon, 03 Mar 2014 09:56PM
Category: Digital Forensics & Malware
Have you ever wondered how some malware variants are able to delete themselves? A malicious executable is launched on a machine, and once launched in memory, the executable vanishes. This makes malware analysis very hard if no memory dump was taken, as there is seemingly nothing there. We can however use other artefacts to confirm the running of a non-existent file, such as by looking at the Prefetch files, User Assist files and certain registry entries.
The simplest way to delete oneself is to use the self-deleting batch file method. A little known fact about batch files is that they can delete themselves, using the following code: del /F "<own file path>". Therefore, if you created and executed a batch file during your execution of the malware, once the malware has finished executing, you can get the batch file to delete the malware, and then itself, with the following:
@echo off :d del "<path to executable>" if exist "<path to executable>" goto d del /F "<path to this batch file>"
I created an executable using Python and Py2Exe to demonstrate this behaviour. The code below writes out the batch file commands to a file, and then launches it as another process, and then exits the main executable. It was a little tricky working out how to get Python to create an entirely new process to run the batch file in that was not a child; if it was connected with the parent process then the batch file would exit when the executable exited and therefore never delete the files. I didn’t manage to get Py2Exe to create just one file, so the batch file here also cleans up the other files generated to get the executable to run.
import subprocess, sys file_contents = '''@echo off :d del "malware.exe" del "library.zip" del "python27.dll" if exist "malware.exe" goto d del /F "batch.bat"''' with open('batch.bat', 'w') as output: output.write(file_contents) DETACHED_PROCESS = 0x00000008 p = subprocess.Popen("batch.bat", creationflags=DETACHED_PROCESS | subprocess.CREATE_NEW_PROCESS_GROUP, close_fds=True) sys.exit()
Download zip file of the self-deleting “malware”
Further reading:
Comments
Previous blog entries
Blog categories
- Forensics & science (7)
- Homemade arts & crafts (11)
- Rabbits (8)
- Programming (6)
- Miscellaneous (25)
- Recipes (5)
- Reviews (14)
- Digital Forensics & Malware (42)
- Trips & Visits (16)
- Cyber Security & Threat Management (12)
- IT & Computers (7)
- HCI & Design (6)
Blog tags
holiday MP3 sharing quantitative nudge theory microsoft edge PostgreSQL O2 Istanbul handmade kill chain Myxomatosis Barcelona cake timezones Michelin restaurant thumbs.db doppelgangers Sainsbury's tea Itiel Dror cables forensics Opera Facebook chat Barafu play metaphors ISACA rabbit nutrition free courses search QR codes AES walks evaluation insider fraud GDPR tags Safari laptop Mweke Tineye exhibition Belgium internet history England fabric masters Irari rules foodies Lockheed Martin cybercrime sausages Sqlite presents symposium Firebug gig Kilimanjaro answers
